Escape text passed to gfm by link_to_gfm

2012-09-19 19:42:26 -04:00 · 2012-09-19 19:42:26 -04:00 · 496f88afe1
parent 01974185a1
commit 496f88afe1
3 changed files with 12 additions and 5 deletions
--- a/app/helpers/gitlab_markdown_helper.rb
+++ b/app/helpers/gitlab_markdown_helper.rb
@ -12,8 +12,8 @@ module GitlabMarkdownHelper
  # "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
  def link_to_gfm(body, url, html_options = {})
    return "" if body.blank?
-    
-    gfm_body = gfm(body, html_options)
+
+    gfm_body = gfm(escape_once(body), html_options)

    gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
      "</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
--- a/app/views/commits/_commit_box.html.haml
+++ b/app/views/commits/_commit_box.html.haml
@ -11,10 +11,10 @@
      = link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
        %strong Browse Code »
    %h3.commit-title.page_title
-      = gfm @commit.title
+      = gfm escape_once(@commit.title)
    - if @commit.description.present?
      %pre.commit-description
-        = gfm @commit.description
+        = gfm escape_once(@commit.description)
  .commit-info
    .row
      .span4
--- a/spec/helpers/gitlab_markdown_helper_spec.rb
+++ b/spec/helpers/gitlab_markdown_helper_spec.rb
@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do
      actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
      actual.should have_selector 'a.gfm.gfm-commit.foo'
    end
+
+    it "escapes HTML passed in as the body" do
+      actual = "This is a <h1>test</h1> - see ##{issues[0].id}"
+      link_to_gfm(actual, commit_path).should match('&lt;h1&gt;test&lt;/h1&gt;')
+    end
  end

  describe "#markdown" do
    it "should handle references in paragraphs" do
-      markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n"
+      actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n"
+      expected = project_commit_path(project, commit)
+      markdown(actual).should match(expected)
    end

    it "should handle references in headers" do