sanitize_html_v4.patch

Go MAEDA, 2021-03-15 16:52

Download (2.18 KB)

View differences:

public/javascripts/application.js
1 1
/* Redmine - project management software
2 2
   Copyright (C) 2006-2020  Jean-Philippe Lang */
3 3

  
4
function sanitizeHTML(string) {
5
  var temp = document.createElement('span');
6
  temp.textContent = string;
7
  return temp.innerHTML;
8
}
9

  
4 10
function checkAll(id, checked) {
5 11
  $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked);
6 12
}
......
1130 1136
          selectTemplate: function (issue) {
1131 1137
            return '#' + issue.original.id;
1132 1138
          },
1139
          menuItemTemplate: function (issue) {
1140
            return sanitizeHTML(issue.original.label);
1141
          },
1133 1142
          noMatchTemplate: function () {
1134 1143
            return '<span style:"visibility: hidden;"></span>';
1135 1144
          }
......
1147 1156
          selectTemplate: function (wikiPage) {
1148 1157
            return '[[' + wikiPage.original.value + ']]';
1149 1158
          },
1159
          menuItemTemplate: function (wikiPage) {
1160
            return sanitizeHTML(wikiPage.original.label);
1161
          },
1150 1162
          noMatchTemplate: function () {
1151 1163
            return '<span style:"visibility: hidden;"></span>';
1152 1164
          }
test/system/inline_autocomplete_test.rb
151 151
    end
152 152
    assert_equal '[[Page_with_sections]] ', find('#issue_description').value
153 153
  end
154

  
155
  def test_inline_autocomplete_for_issues_should_escape_html_elements
156
    issue = Issue.generate!(subject: 'This issue has a <select> element', project_id: 1, tracker_id: 1)
157

  
158
    log_user('jsmith', 'jsmith')
159
    visit 'projects/1/issues/new'
160

  
161
    fill_in 'Description', :with => '#This'
162

  
163
    within('.tribute-container') do
164
      assert page.has_text? "Bug ##{issue.id}: This issue has a <select> element"
165
    end
166
  end
154 167
end