Project

General

Profile

Actions

Defect #30758

closed

Preview URL in Wiki Toolbar should be escaped

Added by Vincent Robert over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Wiki
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Since Redmine 4.0.0 and the addition of the preview tab, the wiki toolbar is not displayed if the preview url contains single quotes. The url is not escaped and we can see an error in our browser console.
We should escape the preview url:

diff --git a/lib/redmine/wiki_formatting/markdown/helper.rb b/lib/redmine/wiki_formatting/markdown/helper.rb
index fac2f8bf3..fb9f1a939 100644
--- a/lib/redmine/wiki_formatting/markdown/helper.rb
+++ b/lib/redmine/wiki_formatting/markdown/helper.rb
@@ -22,7 +22,7 @@ module Redmine
         def wikitoolbar_for(field_id, preview_url = preview_text_path)
           heads_for_wiki_formatter
           url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_markdown.html" 
-          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
         end

         def initial_page_content(page)
diff --git a/lib/redmine/wiki_formatting/textile/helper.rb b/lib/redmine/wiki_formatting/textile/helper.rb
index 6e8ba9812..e536a29dc 100644
--- a/lib/redmine/wiki_formatting/textile/helper.rb
+++ b/lib/redmine/wiki_formatting/textile/helper.rb
@@ -23,7 +23,7 @@ module Redmine
           heads_for_wiki_formatter
           # Is there a simple way to link to a public resource?
           url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_textile.html" 
-          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
         end

         def initial_page_content(page)

Files

escape_preview_url.diff (1.99 KB) escape_preview_url.diff Vincent Robert, 2019-02-06 19:10
screenshot.png (207 KB) screenshot.png Vincent Robert, 2019-02-07 08:18

Related issues

Related to Redmine - Feature #27758: Adds preview option to the wiki toolbarClosedJean-Philippe Lang

Actions
Actions #1

Updated by Go MAEDA over 5 years ago

  • Status changed from New to Needs feedback

Thank you for the patch. Could you paste some example URLs that reproduce the problem?

Actions #2

Updated by Vincent Robert over 5 years ago

Here is an example. The last link will lead to a form where the wikitoolbar is missing.

h1. CookBook documentation

{{child_pages}}

Some updated [[documentation]] here with gzipped history

{{toc}}

* [[Installation]]

* [[Rock'n Roll]]
Actions #3

Updated by Go MAEDA over 5 years ago

Vincent Robert wrote:

Here is an example. The last link will lead to a form where the wikitoolbar is missing.

[...]

Thank you. But it does not break the toolbar in my environment. Could you paste a screenshot that shows the problem? Sorry for bothering you again and again.

Actions #4

Updated by Vincent Robert over 5 years ago

Here it is:

Actions #5

Updated by Go MAEDA over 5 years ago

  • Status changed from Needs feedback to Confirmed
Actions #6

Updated by Go MAEDA over 5 years ago

  • Target version set to 4.0.2

Setting the target version to 4.0.2.

Actions #7

Updated by Go MAEDA over 5 years ago

  • Status changed from Confirmed to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for detecting and fixing this issue.

Actions #8

Updated by Vincent Robert over 5 years ago

Thanks.

How could we associate this kind of patch with our Github account?
I think more contributors would be motivated if they could get credit in Github.

Actions #9

Updated by Marius BĂLTEANU over 5 years ago

Thanks Vincent for reporting and fixing this issue.

Vincent Robert wrote:

How could we associate this kind of patch with our Github account?
I think more contributors would be motivated if they could get credit in Github.

I don't think that it is possible mostly because of the SVN.

Actions #10

Updated by Marius BĂLTEANU over 5 years ago

  • Related to Feature #27758: Adds preview option to the wiki toolbar added
Actions

Also available in: Atom PDF