jro_apps/redmine Commit - r14905:25eb92c0dc33

Text in the "removed" part of a diff is double-escaped (#22115)....

Jean-Philippe Lang -

r14905:25eb92c0dc33

parent child

Context file:

r14905:25eb92c0dc33

lib/redmine/helpers/diff.rb +5 -3

                   include ERB::Util
                   include ActionView::Helpers::TagHelper
                   include ActionView::Helpers::TextHelper
+                  include ActionView::Helpers::OutputSafetyHelper
                   attr_reader :diff, :words
                   def initialize(content_to, content_from)
                         else
                           del_at = pos unless del_at
                           deleted << ' ' unless deleted.empty?
-                          deleted << h(change[2])
+                          deleted << change[2]
                           words_del  += 1
                         end
                       end
                         words[add_to] = words[add_to] + '</span>'.html_safe
                       end
                       if del_at
-                        words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe
+                        # deleted is not safe html at this point
+                        words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe
                         dels += 1
                         del_off += words_del
                         words_del = 0
                       end
                     end
-                    words.join(' ').html_safe
+                    safe_join(words, ' ')
                   end
                 end
               end

test/unit/lib/redmine/helpers/diff_test.rb +12 0

@@ -22,4 +22,16 class DiffTest < ActiveSupport::TestCase
22	diff = Redmine::Helpers::Diff.new("foo", "bar")	22	diff = Redmine::Helpers::Diff.new("foo", "bar")
23	assert_not_nil diff	23	assert_not_nil diff
24	end	24	end
		25
		26	def test_dont_double_escape
		27	# 3 cases to test in the before: first word, last word, everything inbetween
		28	before = "<stuff> with html & special chars</danger>"
		29	# all words in after are treated equal
		30	after = "other stuff <script>alert('foo');</alert>"
		31
		32	computed_diff = Redmine::Helpers::Diff.new(before, after).to_html
		33	expected_diff = '<span class="diff_in"><stuff> with html & special chars</danger></span> <span class="diff_out">other stuff <script>alert('foo');</alert></span>'
		34
		35	assert_equal computed_diff, expected_diff
		36	end
25	end	37	end

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages