Defect #22115

Text in the "removed" part of a wiki diff is double-escaped

Added by Felix Schäfer over 1 year ago. Updated over 1 year ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:UI
Target version:3.3.0
Resolution:Fixed Affected version:

Description

In a wiki diff (and from the looks of the code the diffs of issue description) html special characters in the deleted parts are double-escaped.

22115-dont_double_escape_deleted_diff_parts.diff Magnifier (2.07 KB) Felix Schäfer, 2016-02-25 21:02

22115-dont_double_escape_deleted_diff_parts.diff Magnifier (2.35 KB) Felix Schäfer, 2016-02-25 21:31

Associated revisions

Revision 15287
Added by Jean-Philippe Lang over 1 year ago

Text in the "removed" part of a diff is double-escaped (#22115).

Patch by Felix Schäfer.

History

#1 Updated by Felix Schäfer over 1 year ago

The attached diff adds a test and a diff for this behaviour.

The problem is in source:/trunk/lib/redmine/helpers/diff.rb@15153: the string deleted is concatenated from unsafe strings (lines 46 and 55) and an html escaped string (line 56) and thus html unsafe. It then is added + to an html_safe string in line 65, which causes deleted to be html escaped a second time before being concatenated to the string on the left hand of the +.

The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition + to a html_safe string.

#2 Updated by Felix Schäfer over 1 year ago

Felix Schäfer wrote:

The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition + to a html_safe string.

Ah, and the .join(' ').html_safe at the end is replaced with the safer safe_join which ensures any non-html_safe string in the array is html escaped before concatenation.

#3 Updated by Felix Schäfer over 1 year ago

safe_join comes from an ActionView::Helper that wasn't included yet in Redmine::Helpers::Diff, this patch corrects this omission.

#4 Updated by Toshi MARUYAMA over 1 year ago

  • Target version set to 3.3.0

#5 Updated by Jean-Philippe Lang over 1 year ago

  • Subject changed from Text in the "removed" part of a diff is double-escaped to Text in the "removed" part of a wiki diff is double-escaped
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Committed, thanks.

Also available in: Atom PDF