Defect #30758
closedPreview URL in Wiki Toolbar should be escaped
0%
Description
Since Redmine 4.0.0 and the addition of the preview tab, the wiki toolbar is not displayed if the preview url contains single quotes. The url is not escaped and we can see an error in our browser console.
We should escape the preview url:
diff --git a/lib/redmine/wiki_formatting/markdown/helper.rb b/lib/redmine/wiki_formatting/markdown/helper.rb
index fac2f8bf3..fb9f1a939 100644
--- a/lib/redmine/wiki_formatting/markdown/helper.rb
+++ b/lib/redmine/wiki_formatting/markdown/helper.rb
@@ -22,7 +22,7 @@ module Redmine
def wikitoolbar_for(field_id, preview_url = preview_text_path)
heads_for_wiki_formatter
url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_markdown.html"
- javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+ javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
end
def initial_page_content(page)
diff --git a/lib/redmine/wiki_formatting/textile/helper.rb b/lib/redmine/wiki_formatting/textile/helper.rb
index 6e8ba9812..e536a29dc 100644
--- a/lib/redmine/wiki_formatting/textile/helper.rb
+++ b/lib/redmine/wiki_formatting/textile/helper.rb
@@ -23,7 +23,7 @@ module Redmine
heads_for_wiki_formatter
# Is there a simple way to link to a public resource?
url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_textile.html"
- javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+ javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
end
def initial_page_content(page)
Files
Related issues
Updated by Go MAEDA over 5 years ago
- Status changed from New to Needs feedback
Thank you for the patch. Could you paste some example URLs that reproduce the problem?
Updated by Vincent Robert over 5 years ago
Here is an example. The last link will lead to a form where the wikitoolbar is missing.
h1. CookBook documentation {{child_pages}} Some updated [[documentation]] here with gzipped history {{toc}} * [[Installation]] * [[Rock'n Roll]]
Updated by Go MAEDA over 5 years ago
Vincent Robert wrote:
Here is an example. The last link will lead to a form where the wikitoolbar is missing.
[...]
Thank you. But it does not break the toolbar in my environment. Could you paste a screenshot that shows the problem? Sorry for bothering you again and again.
Updated by Go MAEDA over 5 years ago
- Status changed from Needs feedback to Confirmed
Updated by Go MAEDA over 5 years ago
- Target version set to 4.0.2
Setting the target version to 4.0.2.
Updated by Go MAEDA over 5 years ago
- Status changed from Confirmed to Closed
- Assignee set to Go MAEDA
- Resolution set to Fixed
Committed the patch. Thank you for detecting and fixing this issue.
Updated by Vincent Robert over 5 years ago
Thanks.
How could we associate this kind of patch with our Github account?
I think more contributors would be motivated if they could get credit in Github.
Updated by Marius BĂLTEANU over 5 years ago
Thanks Vincent for reporting and fixing this issue.
Vincent Robert wrote:
How could we associate this kind of patch with our Github account?
I think more contributors would be motivated if they could get credit in Github.
I don't think that it is possible mostly because of the SVN.
Updated by Marius BĂLTEANU over 5 years ago
- Related to Feature #27758: Adds preview option to the wiki toolbar added