22115-dont_double_escape_deleted_diff_parts.diff

Felix Schäfer, 2016-02-25 21:31

Download (2.35 KB)

View differences:

lib/redmine/helpers/diff.rb
23 23
      include ERB::Util
24 24
      include ActionView::Helpers::TagHelper
25 25
      include ActionView::Helpers::TextHelper
26
      include ActionView::Helpers::OutputSafetyHelper
26 27
      attr_reader :diff, :words
27 28

  
28 29
      def initialize(content_to, content_from)
......
53 54
            else
54 55
              del_at = pos unless del_at
55 56
              deleted << ' ' unless deleted.empty?
56
              deleted << h(change[2])
57
              deleted << change[2]
57 58
              words_del  += 1
58 59
            end
59 60
          end
......
62 63
            words[add_to] = words[add_to] + '</span>'.html_safe
63 64
          end
64 65
          if del_at
65
            words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe
66
            # deleted is not safe html at this point
67
            words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe
66 68
            dels += 1
67 69
            del_off += words_del
68 70
            words_del = 0
69 71
          end
70 72
        end
71
        words.join(' ').html_safe
73
        safe_join(words, ' ')
72 74
      end
73 75
    end
74 76
  end
test/unit/lib/redmine/helpers/diff_test.rb
22 22
    diff = Redmine::Helpers::Diff.new("foo", "bar")
23 23
    assert_not_nil diff
24 24
  end
25

  
26
  def test_dont_double_escape
27
    # 3 cases to test in the before: first word, last word, everything inbetween
28
    before = "<stuff> with html & special chars</danger>"
29
    # all words in after are treated equal
30
    after  = "other stuff <script>alert('foo');</alert>"
31

  
32
    computed_diff = Redmine::Helpers::Diff.new(before, after).to_html
33
    expected_diff = '<span class="diff_in">&lt;stuff&gt; with html &amp; special chars&lt;/danger&gt;</span> <span class="diff_out">other stuff &lt;script&gt;alert(&#39;foo&#39;);&lt;/alert&gt;</span>'
34

  
35
    assert_equal computed_diff, expected_diff
36
  end
25 37
end