•  31-05-2022
  •  | 
  •  

Question

The Textile documentation says Redmine (which is using Textile) is able to use inline HTML. This works well in the test on the documentation website. Entering HTML there it is parsed as HTML and displayed as any normal browser would.

However, in our Redmine installation, we cannot seem to do the same thing. Entering HTML here it gets written literally into the database. But coming out it's sanitized, meaning that the HTML tags is displayed rather than interpreted by the browser (<table> becomes &lt;table&gt;).

This might be a security issue, sanitization being enabled by default. I've found a hint at an option called "sanitize_html", but cannot find any reference on how to configure this to be off. I will add that this is an internal Redmine installation only, disabling this feature shouldn't be a problem. I've also found hints that RoR from a specific version on automagically sanitizes output, so this might be the culprit, I'm not sure.

Was it helpful?

Solution

I think you need to define a whitelist of allowed tags. I found this tip at http://www.redmine.org/issues/843#note-15, and did the following to allow iframe tags in our instance:

  1. Add a new file in redmine's config/initializers directory. I don't think the filename matters. I called mine allowed_tags.rb.
  2. Put this line in the file: RedCloth3::ALLOWED_TAGS << "iframe"
  3. Make the permissions and ownership match the other *.rb files in that directory.
  4. Restart Redmine.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top