Escape text passed to gfm by link_to_gfm

Robert Speicher
1 parent 01974185
Showing 3 changed files with 12 additions and 5 deletions Show diff stats
app/helpers/gitlab_markdown_helper.rb
app/views/commits/_commit_box.html.haml
spec/helpers/gitlab_markdown_helper_spec.rb
@@ -12,8 +12,8 @@ module GitlabMarkdownHelper
   # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
   def link_to_gfm(body, url, html_options = {})
     return "" if body.blank?
-    
-    gfm_body = gfm(body, html_options)
+
+    gfm_body = gfm(escape_once(body), html_options)
  
     gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
       "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
@@ -11,10 +11,10 @@
       = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
         %strong Browse Code »
     %h3.commit-title.page_title
-      = gfm @commit.title
+      = gfm escape_once(@commit.title)
     - if @commit.description.present?
       %pre.commit-description
-        = gfm @commit.description
+        = gfm escape_once(@commit.description)
   .commit-info
     .row
       .span4
@@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do
       actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
       actual.should have_selector 'a.gfm.gfm-commit.foo'
     end
+
+    it "escapes HTML passed in as the body" do
+      actual = "This is a <h1>test</h1> - see ##{issues[0].id}"
+      link_to_gfm(actual, commit_path).should match('&lt;h1&gt;test&lt;/h1&gt;')
+    end
   end
  
   describe "#markdown" do
     it "should handle references in paragraphs" do
-      markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n"
+      actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n"
+      expected = project_commit_path(project, commit)
+      markdown(actual).should match(expected)
     end
  
     it "should handle references in headers" do
...	...	@@ -12,8 +12,8 @@ module GitlabMarkdownHelper
12	12	# "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
13	13	def link_to_gfm(body, url, html_options = {})
14	14	return "" if body.blank?
15		-
16		- gfm_body = gfm(body, html_options)
	15	+
	16	+ gfm_body = gfm(escape_once(body), html_options)
17	17
18	18	gfm_body.gsub!(%r{<a.?>.?</a>}m) do \|match\|
19	19	"</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
...	...
...	...	@@ -11,10 +11,10 @@
11	11	= link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
12	12	%strong Browse Code »
13	13	%h3.commit-title.page_title
14		- = gfm @commit.title
	14	+ = gfm escape_once(@commit.title)
15	15	- if @commit.description.present?
16	16	%pre.commit-description
17		- = gfm @commit.description
	17	+ = gfm escape_once(@commit.description)
18	18	.commit-info
19	19	.row
20	20	.span4
...	...
...	...	@@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do
292	292	actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
293	293	actual.should have_selector 'a.gfm.gfm-commit.foo'
294	294	end
	295	+
	296	+ it "escapes HTML passed in as the body" do
	297	+ actual = "This is a <h1>test</h1> - see ##{issues[0].id}"
	298	+ link_to_gfm(actual, commit_path).should match('<h1>test</h1>')
	299	+ end
295	300	end
296	301
297	302	describe "#markdown" do
298	303	it "should handle references in paragraphs" do
299		- markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n"
	304	+ actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n"
	305	+ expected = project_commit_path(project, commit)
	306	+ markdown(actual).should match(expected)
300	307	end
301	308
302	309	it "should handle references in headers" do
...	...