jro_apps/redmine Commit - r14905:25eb92c0dc33

Text in the "removed" part of a diff is double-escaped (#22115)....

Jean-Philippe Lang -

r14905:25eb92c0dc33

parent child

Context file:

r14905:25eb92c0dc33

Collapse all files

lib/redmine/helpers/diff.rb +5 -3

                    include ERB::Util
                    include ActionView::Helpers::TagHelper
                    include ActionView::Helpers::TextHelper
+                   include ActionView::Helpers::OutputSafetyHelper
                    attr_reader :diff, :words
                    def initialize(content_to, content_from)
                          else
                            del_at = pos unless del_at
                            deleted << ' ' unless deleted.empty?
-                           deleted << h(change[2])
+                           deleted << change[2]
                            words_del  += 1
                          end
                        end
                          words[add_to] = words[add_to] + '</span>'.html_safe
                        end
                        if del_at
-                         words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe
+                         # deleted is not safe html at this point
+                         words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe
                          dels += 1
                          del_off += words_del
                          words_del = 0
                        end
                      end
-                     words.join(' ').html_safe
+                     safe_join(words, ' ')
                    end
                  end
                end

test/unit/lib/redmine/helpers/diff_test.rb +12 0

                  diff = Redmine::Helpers::Diff.new("foo", "bar")
                  assert_not_nil diff
                end
+               def test_dont_double_escape
+                 # 3 cases to test in the before: first word, last word, everything inbetween
+                 before = "<stuff> with html & special chars</danger>"
+                 # all words in after are treated equal
+                 after  = "other stuff <script>alert('foo');</alert>"
+                 computed_diff = Redmine::Helpers::Diff.new(before, after).to_html
+                 expected_diff = '<span class="diff_in">&lt;stuff&gt; with html &amp; special chars&lt;/danger&gt;</span> <span class="diff_out">other stuff &lt;script&gt;alert(&#39;foo&#39;);&lt;/alert&gt;</span>'
+                 assert_equal computed_diff, expected_diff
+               end
              end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages