https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292016-02-25T20:08:52ZRedmineRedmine - Defect #22115: Text in the "removed" part of a wiki diff is double-escapedhttps://www.redmine.org/issues/22115?journal_id=694402016-02-25T20:08:52ZFelix Schäfer
<ul><li><strong>File</strong> <a href="/attachments/15483">22115-dont_double_escape_deleted_diff_parts.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/15483/22115-dont_double_escape_deleted_diff_parts.diff">22115-dont_double_escape_deleted_diff_parts.diff</a> added</li></ul><p>The attached diff adds a test and a diff for this behaviour.</p>
<p>The problem is in <a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/revisions/15153/entry/trunk/lib/redmine/helpers/diff.rb">source:/trunk/lib/redmine/helpers/diff.rb@15153</a>: the string <code>deleted</code> is concatenated from unsafe strings (lines 46 and 55) and an html escaped string (line 56) and thus html unsafe. It then is added <code>+</code> to an <code>html_safe</code> string in line 65, which causes <code>deleted</code> to be html escaped a second time before being concatenated to the string on the left hand of the <code>+</code>.</p>
<p>The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition <code>+</code> to a <code>html_safe</code> string.</p> Redmine - Defect #22115: Text in the "removed" part of a wiki diff is double-escapedhttps://www.redmine.org/issues/22115?journal_id=694412016-02-25T20:10:31ZFelix Schäfer
<ul></ul><p>Felix Schäfer wrote:</p>
<blockquote>
<p>The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition <code>+</code> to a <code>html_safe</code> string.</p>
</blockquote>
<p>Ah, and the <code>.join(' ').html_safe</code> at the end is replaced with the safer <code>safe_join</code> which ensures any non-<code>html_safe</code> string in the array is html escaped before concatenation.</p> Redmine - Defect #22115: Text in the "removed" part of a wiki diff is double-escapedhttps://www.redmine.org/issues/22115?journal_id=694422016-02-25T20:32:00ZFelix Schäfer
<ul><li><strong>File</strong> <a href="/attachments/15484">22115-dont_double_escape_deleted_diff_parts.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/15484/22115-dont_double_escape_deleted_diff_parts.diff">22115-dont_double_escape_deleted_diff_parts.diff</a> added</li></ul><p><code>safe_join</code> comes from an <code>ActionView::Helper</code> that wasn't included yet in <code>Redmine::Helpers::Diff</code>, this patch corrects this omission.</p> Redmine - Defect #22115: Text in the "removed" part of a wiki diff is double-escapedhttps://www.redmine.org/issues/22115?journal_id=699422016-03-26T03:26:48ZToshi MARUYAMA
<ul><li><strong>Target version</strong> set to <i>3.3.0</i></li></ul> Redmine - Defect #22115: Text in the "removed" part of a wiki diff is double-escapedhttps://www.redmine.org/issues/22115?journal_id=699572016-03-26T10:20:44ZJean-Philippe Langjp_lang@yahoo.fr
<ul><li><strong>Subject</strong> changed from <i>Text in the "removed" part of a diff is double-escaped</i> to <i>Text in the "removed" part of a wiki diff is double-escaped</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Jean-Philippe Lang</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Committed, thanks.</p>