Commit 496f88afe10f95a7aa64ea8ab10e57412f827283
1 parent
01974185
Exists in
master
and in
4 other branches
Escape text passed to gfm by link_to_gfm
Showing
3 changed files
with
12 additions
and
5 deletions
Show diff stats
app/helpers/gitlab_markdown_helper.rb
| @@ -12,8 +12,8 @@ module GitlabMarkdownHelper | @@ -12,8 +12,8 @@ module GitlabMarkdownHelper | ||
| 12 | # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>"). | 12 | # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>"). |
| 13 | def link_to_gfm(body, url, html_options = {}) | 13 | def link_to_gfm(body, url, html_options = {}) |
| 14 | return "" if body.blank? | 14 | return "" if body.blank? |
| 15 | - | ||
| 16 | - gfm_body = gfm(body, html_options) | 15 | + |
| 16 | + gfm_body = gfm(escape_once(body), html_options) | ||
| 17 | 17 | ||
| 18 | gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match| | 18 | gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match| |
| 19 | "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1 | 19 | "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1 |
app/views/commits/_commit_box.html.haml
| @@ -11,10 +11,10 @@ | @@ -11,10 +11,10 @@ | ||
| 11 | = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do | 11 | = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do |
| 12 | %strong Browse Code » | 12 | %strong Browse Code » |
| 13 | %h3.commit-title.page_title | 13 | %h3.commit-title.page_title |
| 14 | - = gfm @commit.title | 14 | + = gfm escape_once(@commit.title) |
| 15 | - if @commit.description.present? | 15 | - if @commit.description.present? |
| 16 | %pre.commit-description | 16 | %pre.commit-description |
| 17 | - = gfm @commit.description | 17 | + = gfm escape_once(@commit.description) |
| 18 | .commit-info | 18 | .commit-info |
| 19 | .row | 19 | .row |
| 20 | .span4 | 20 | .span4 |
spec/helpers/gitlab_markdown_helper_spec.rb
| @@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do | @@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do | ||
| 292 | actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo') | 292 | actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo') |
| 293 | actual.should have_selector 'a.gfm.gfm-commit.foo' | 293 | actual.should have_selector 'a.gfm.gfm-commit.foo' |
| 294 | end | 294 | end |
| 295 | + | ||
| 296 | + it "escapes HTML passed in as the body" do | ||
| 297 | + actual = "This is a <h1>test</h1> - see ##{issues[0].id}" | ||
| 298 | + link_to_gfm(actual, commit_path).should match('<h1>test</h1>') | ||
| 299 | + end | ||
| 295 | end | 300 | end |
| 296 | 301 | ||
| 297 | describe "#markdown" do | 302 | describe "#markdown" do |
| 298 | it "should handle references in paragraphs" do | 303 | it "should handle references in paragraphs" do |
| 299 | - markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n" | 304 | + actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n" |
| 305 | + expected = project_commit_path(project, commit) | ||
| 306 | + markdown(actual).should match(expected) | ||
| 300 | end | 307 | end |
| 301 | 308 | ||
| 302 | it "should handle references in headers" do | 309 | it "should handle references in headers" do |