Merge pull request #1512 from tsigo/escape_gfm
Better escaping of text passed into GFM
This commit is contained in:
commit
ae1d9fb46a
11 changed files with 23 additions and 14 deletions
|
@ -12,8 +12,8 @@ module GitlabMarkdownHelper
|
||||||
# "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
|
# "<a>outer text </a><a>gfm ref</a><a> more outer text</a>").
|
||||||
def link_to_gfm(body, url, html_options = {})
|
def link_to_gfm(body, url, html_options = {})
|
||||||
return "" if body.blank?
|
return "" if body.blank?
|
||||||
|
|
||||||
gfm_body = gfm(body, html_options)
|
gfm_body = gfm(escape_once(body), html_options)
|
||||||
|
|
||||||
gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
|
gfm_body.gsub!(%r{<a.*?>.*?</a>}m) do |match|
|
||||||
"</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
|
"</a>#{match}#{link_to("", url, html_options)[0..-5]}" # "</a>".length +1
|
||||||
|
|
|
@ -11,10 +11,10 @@
|
||||||
= link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
|
= link_to tree_project_ref_path(@project, @commit.id), class: "browse-button primary grouped" do
|
||||||
%strong Browse Code »
|
%strong Browse Code »
|
||||||
%h3.commit-title.page_title
|
%h3.commit-title.page_title
|
||||||
= gfm @commit.title
|
= gfm escape_once(@commit.title)
|
||||||
- if @commit.description.present?
|
- if @commit.description.present?
|
||||||
%pre.commit-description
|
%pre.commit-description
|
||||||
= gfm @commit.description
|
= gfm escape_once(@commit.description)
|
||||||
.commit-info
|
.commit-info
|
||||||
.row
|
.row
|
||||||
.span4
|
.span4
|
||||||
|
|
|
@ -5,4 +5,4 @@
|
||||||
%strong.cdark= commit.author_name
|
%strong.cdark= commit.author_name
|
||||||
–
|
–
|
||||||
= image_tag gravatar_icon(commit.author_email), class: "avatar", width: 16
|
= image_tag gravatar_icon(commit.author_email), class: "avatar", width: 16
|
||||||
= gfm truncate(commit.title, length: 50) rescue "--broken encoding"
|
= gfm escape_once(truncate(commit.title, length: 50)) rescue "--broken encoding"
|
||||||
|
|
|
@ -31,7 +31,7 @@
|
||||||
.alert-message.error.status_info Closed
|
.alert-message.error.status_info Closed
|
||||||
- else
|
- else
|
||||||
.alert-message.success.status_info Open
|
.alert-message.success.status_info Open
|
||||||
= gfm @issue.title
|
= gfm escape_once(@issue.title)
|
||||||
|
|
||||||
.middle_box_content
|
.middle_box_content
|
||||||
%cite.cgray Created by
|
%cite.cgray Created by
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
.alert-message.error.status_info Closed
|
.alert-message.error.status_info Closed
|
||||||
- else
|
- else
|
||||||
.alert-message.success.status_info Open
|
.alert-message.success.status_info Open
|
||||||
= gfm @merge_request.title
|
= gfm escape_once(@merge_request.title)
|
||||||
|
|
||||||
.middle_box_content
|
.middle_box_content
|
||||||
%div
|
%div
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
.alert-message.error.status_info Closed
|
.alert-message.error.status_info Closed
|
||||||
- else
|
- else
|
||||||
.alert-message.success.status_info Open
|
.alert-message.success.status_info Open
|
||||||
= gfm @milestone.title
|
= gfm escape_once(@milestone.title)
|
||||||
%small.right= @milestone.expires_at
|
%small.right= @milestone.expires_at
|
||||||
|
|
||||||
.middle_box_content
|
.middle_box_content
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
%code= commit.short_id
|
%code= commit.short_id
|
||||||
|
|
||||||
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
||||||
= gfm truncate(commit.title, length: 40)
|
= gfm escape_once(truncate(commit.title, length: 40))
|
||||||
%span.update-author.right
|
%span.update-author.right
|
||||||
= time_ago_in_words(commit.committed_date)
|
= time_ago_in_words(commit.committed_date)
|
||||||
ago
|
ago
|
||||||
|
|
|
@ -13,7 +13,7 @@
|
||||||
= link_to project_commits_path(@project, commit.id) do
|
= link_to project_commits_path(@project, commit.id) do
|
||||||
%code= commit.short_id
|
%code= commit.short_id
|
||||||
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
||||||
= gfm truncate(commit.title, length: 40)
|
= gfm escape_once(truncate(commit.title, length: 40))
|
||||||
%td
|
%td
|
||||||
%span.right.cgray
|
%span.right.cgray
|
||||||
= time_ago_in_words(commit.committed_date)
|
= time_ago_in_words(commit.committed_date)
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
= link_to project_commit_path(@project, commit.id) do
|
= link_to project_commit_path(@project, commit.id) do
|
||||||
%code= commit.short_id
|
%code= commit.short_id
|
||||||
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
= image_tag gravatar_icon(commit.author_email), class: "", width: 16
|
||||||
= gfm truncate(commit.title, length: 40)
|
= gfm escape_once(truncate(commit.title, length: 40))
|
||||||
%td
|
%td
|
||||||
%span.update-author.right
|
%span.update-author.right
|
||||||
= time_ago_in_words(commit.committed_date)
|
= time_ago_in_words(commit.committed_date)
|
||||||
|
|
|
@ -48,8 +48,10 @@ module Gitlab
|
||||||
def gfm(text, html_options = {})
|
def gfm(text, html_options = {})
|
||||||
return text if text.nil?
|
return text if text.nil?
|
||||||
|
|
||||||
# prevents the string supplied through the _text_ argument to be altered
|
# Duplicate the string so we don't alter the original, then call to_str
|
||||||
text = text.dup
|
# to cast it back to a String instead of a SafeBuffer. This is required
|
||||||
|
# for gsub calls to work as we need them to.
|
||||||
|
text = text.dup.to_str
|
||||||
|
|
||||||
@html_options = html_options
|
@html_options = html_options
|
||||||
|
|
||||||
|
|
|
@ -292,11 +292,18 @@ describe GitlabMarkdownHelper do
|
||||||
actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
|
actual = link_to_gfm("Fixed in #{commit.id}", commit_path, class: 'foo')
|
||||||
actual.should have_selector 'a.gfm.gfm-commit.foo'
|
actual.should have_selector 'a.gfm.gfm-commit.foo'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "escapes HTML passed in as the body" do
|
||||||
|
actual = "This is a <h1>test</h1> - see ##{issues[0].id}"
|
||||||
|
link_to_gfm(actual, commit_path).should match('<h1>test</h1>')
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "#markdown" do
|
describe "#markdown" do
|
||||||
it "should handle references in paragraphs" do
|
it "should handle references in paragraphs" do
|
||||||
markdown("\n\nLorem ipsum dolor sit amet, consectetur adipiscing elit. #{commit.id} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.\n").should == "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. #{link_to commit.id, project_commit_path(project, commit), title: commit.link_title, class: "gfm gfm-commit "} Nam pulvinar sapien eget odio adipiscing at faucibus orci vestibulum.</p>\n"
|
actual = "\n\nLorem ipsum dolor sit amet. #{commit.id} Nam pulvinar sapien eget.\n"
|
||||||
|
expected = project_commit_path(project, commit)
|
||||||
|
markdown(actual).should match(expected)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "should handle references in headers" do
|
it "should handle references in headers" do
|
||||||
|
|
Loading…
Add table
Reference in a new issue