ChiliProject is not maintained anymore. Please be advised that there will be no more updates.

We do not recommend that you setup new ChiliProject instances and we urge all existing users to migrate their data to a maintained system, e.g. Redmine. We will provide a migration script later. In the meantime, you can use the instructions by Christian Daehn.

A "{{" somewhere in the text breaks the whole layout (Bug #795)


Added by Thomas Winkel at 2011-12-27 03:19 pm. Updated at 2013-02-20 09:12 pm.


Status:Open Start date:2011-12-27
Priority:Normal Due date:
Assignee:- % Done:

0%

Category:Text formatting
Target version:-
Remote issue URL: Affected version:3.0.0

Description

[Liquid Syntax Error] Variable '{{' was not properly terminated with regexp: /\}\}/
In this case the text is interpreted as HTML. So you could actually embed external html code using iframes, for example. Demonstration: {{ <iframe src="http://www.gpsies.com/mapOnly.do?fileId=qmexplgbnujcijia" width="600" height="400" frameborder="0" scrolling="no" marginheight="0" marginwidth="0"></iframe>

Associated revisions

Revision a92cce38
Added by Jean-Philippe Lang at 2008-03-09 12:47 pm

Textile formatting:
  • escape html tags, except pre tags (#807, #795)
  • try to avoid unwanted quick phrase modifiers

git-svn-id: http://redmine.rubyforge.org/svn/trunk@1216 e93f8b46-1217-0410-a6f0-8f06a7374b81

Revision d7ebffb7
Added by Holger Just at 2012-01-16 02:10 pm

[#795] Generate error flash on Liquid syntax error

History

Updated by Holger Just at 2011-12-27 04:01 pm

This bug concerns two different aspects:
  • Liquid uses syntax similar to the old macros and provides a compatibility layer for those. The parsing and execution of the dynamic stuff is completely different though.
  • Liquid is a bit more strict about accepted syntax than what the macros used to to accept.

What you observe here is a syntax error in Liquid (which uses the double braces for variables). Thus, Liquid is unable to properly parse the document and bails. What you observer now is that we used to just return the input to the browser.

The bug should have been fixed some time ago (one day before the 3.0.0beta1 release) in 4656cf1c57de4c08c0166e750e6ac9d1b97cbe53 It now returns the escaped input if there is a syntax error. chiliproject.org currently runs a slightly adapted version which does not yet include this patch.

Please try it again with either the 3.0.0beta1 release if the bug (i.e. the unescaped return of input data on syntax error) still exists there.

  • Status changed from Open to Needs more information

Updated by Holger Just at 2011-12-27 05:28 pm

FYI: I just upgraded chiliproject.org to 3.0.0beta1. As you can see, the input is escaped now. The only thing missing is probably some meaningful error message,

Updated by Thomas Winkel at 2011-12-27 08:28 pm

Ok, I confirm: no problems with beta 1.
Sorry for the trouble, next time I will double-check with the current unstable.

The only thing missing is probably some meaningful error message

I think, the best way would be to interpret this characters as normal text in this case.
This would not destroy the layout, but the user will directly see his mistake, anyhow.
And for the unlikely case that the user really needs this characters in this context, then everything is just fine.

Updated by Holger Just at 2012-01-16 01:12 pm

I added an error message in d7ebffb.

I'm still thinking about your proposal to skip the liquid layer and just pass the input through textile...

  • Status changed from Needs more information to Open

Updated by Roger Hunwicks at 2013-02-19 01:52 pm

Thomas Winkel wrote:

And for the unlikely case that the user really needs this characters in this context, then everything is just fine.

We use Symfony2, and {{ and {% are both tags in the Twig templating language it uses. That means we can't put Twig code into code blocks in Issue notes unless we manually substitute &#123; for the leading {. The same would be true for anyone using Mustache as a templating language.

Updated by Holger Just at 2013-02-20 09:12 pm

You can use the {% raw %} tag of liquid to define a block of text that should not be evaluated as a liquid template. Unless you use this tag in your custom template language, you should be safe.

Also available in: Atom PDF