@@ -23,6 +23,7 module Redmine | |||||
23 | include ERB::Util |
|
23 | include ERB::Util | |
24 | include ActionView::Helpers::TagHelper |
|
24 | include ActionView::Helpers::TagHelper | |
25 | include ActionView::Helpers::TextHelper |
|
25 | include ActionView::Helpers::TextHelper | |
|
26 | include ActionView::Helpers::OutputSafetyHelper | |||
26 | attr_reader :diff, :words |
|
27 | attr_reader :diff, :words | |
27 |
|
28 | |||
28 | def initialize(content_to, content_from) |
|
29 | def initialize(content_to, content_from) | |
@@ -53,7 +54,7 module Redmine | |||||
53 | else |
|
54 | else | |
54 | del_at = pos unless del_at |
|
55 | del_at = pos unless del_at | |
55 | deleted << ' ' unless deleted.empty? |
|
56 | deleted << ' ' unless deleted.empty? | |
56 |
deleted << |
|
57 | deleted << change[2] | |
57 | words_del += 1 |
|
58 | words_del += 1 | |
58 | end |
|
59 | end | |
59 | end |
|
60 | end | |
@@ -62,13 +63,14 module Redmine | |||||
62 | words[add_to] = words[add_to] + '</span>'.html_safe |
|
63 | words[add_to] = words[add_to] + '</span>'.html_safe | |
63 | end |
|
64 | end | |
64 | if del_at |
|
65 | if del_at | |
65 | words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe |
|
66 | # deleted is not safe html at this point | |
|
67 | words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe | |||
66 | dels += 1 |
|
68 | dels += 1 | |
67 | del_off += words_del |
|
69 | del_off += words_del | |
68 | words_del = 0 |
|
70 | words_del = 0 | |
69 | end |
|
71 | end | |
70 | end |
|
72 | end | |
71 | words.join(' ').html_safe |
|
73 | safe_join(words, ' ') | |
72 | end |
|
74 | end | |
73 | end |
|
75 | end | |
74 | end |
|
76 | end |
@@ -22,4 +22,16 class DiffTest < ActiveSupport::TestCase | |||||
22 | diff = Redmine::Helpers::Diff.new("foo", "bar") |
|
22 | diff = Redmine::Helpers::Diff.new("foo", "bar") | |
23 | assert_not_nil diff |
|
23 | assert_not_nil diff | |
24 | end |
|
24 | end | |
|
25 | ||||
|
26 | def test_dont_double_escape | |||
|
27 | # 3 cases to test in the before: first word, last word, everything inbetween | |||
|
28 | before = "<stuff> with html & special chars</danger>" | |||
|
29 | # all words in after are treated equal | |||
|
30 | after = "other stuff <script>alert('foo');</alert>" | |||
|
31 | ||||
|
32 | computed_diff = Redmine::Helpers::Diff.new(before, after).to_html | |||
|
33 | expected_diff = '<span class="diff_in"><stuff> with html & special chars</danger></span> <span class="diff_out">other stuff <script>alert('foo');</alert></span>' | |||
|
34 | ||||
|
35 | assert_equal computed_diff, expected_diff | |||
|
36 | end | |||
25 | end |
|
37 | end |
General Comments 0
You need to be logged in to leave comments.
Login now