Defect #22115
closed
Text in the "removed" part of a wiki diff is double-escaped
0%
Description
In a wiki diff (and from the looks of the code the diffs of issue description) html special characters in the deleted parts are double-escaped.
Files
Updated by Felix Schäfer over 9 years ago
- File 22115-dont_double_escape_deleted_diff_parts.diff 22115-dont_double_escape_deleted_diff_parts.diff added
The attached diff adds a test and a diff for this behaviour.
The problem is in source:/trunk/lib/redmine/helpers/diff.rb@15153: the string deleted is concatenated from unsafe strings (lines 46 and 55) and an html escaped string (line 56) and thus html unsafe. It then is added + to an html_safe string in line 65, which causes deleted to be html escaped a second time before being concatenated to the string on the left hand of the +.
The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition + to a html_safe string.
Updated by Felix Schäfer over 9 years ago
Felix Schäfer wrote:
The patch moves the explicit html escape to line 65 and keeps the explicit html escape to avoid problems with the implicit html escaping performed by the addition
+to ahtml_safestring.
Ah, and the .join(' ').html_safe at the end is replaced with the safer safe_join which ensures any non-html_safe string in the array is html escaped before concatenation.
Updated by Felix Schäfer over 9 years ago
- File 22115-dont_double_escape_deleted_diff_parts.diff 22115-dont_double_escape_deleted_diff_parts.diff added
safe_join comes from an ActionView::Helper that wasn't included yet in Redmine::Helpers::Diff, this patch corrects this omission.
Updated by Toshi MARUYAMA
Updated by Jean-Philippe Lang over 9 years ago
- Subject changed from Text in the "removed" part of a diff is double-escaped to Text in the "removed" part of a wiki diff is double-escaped
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Committed, thanks.