##// END OF EJS Templates
jro_apps » redmine
RSS
Escape href attribute in auto links (#5179)....
Jean-Philippe Lang -
r3498:8cdcf308bef6
parent child
Show More
Side by Side Unified
Context file:
r3498:8cdcf308bef6 Loading diff...:
Show file before | Show file after | Hide comments
@@ -825,7 +825,7 class RedCloth3 < String
825 post = ")"+post # add closing parenth to post
825 post = ")"+post # add closing parenth to post
826 end
826 end
827 atts = pba( atts )
827 atts = pba( atts )
828 atts = " href=\"#{ url }#{ slash }\"#{ atts }"
828 atts = " href=\"#{ htmlesc url }#{ slash }\"#{ atts }"
829 atts << " title=\"#{ htmlesc title }\"" if title
829 atts << " title=\"#{ htmlesc title }\"" if title
830 atts = shelve( atts ) if atts
830 atts = shelve( atts ) if atts
831
831
Show file before | Show file after | Hide comments
@@ -21,6 +21,7 module Redmine
21 module WikiFormatting
21 module WikiFormatting
22 module Textile
22 module Textile
23 class Formatter < RedCloth3
23 class Formatter < RedCloth3
24 include ActionView::Helpers::TagHelper
24
25
25 # auto_link rule after textile rules so that it doesn't break !image_url! tags
26 # auto_link rule after textile rules so that it doesn't break !image_url! tags
26 RULES = [:textile, :block_markdown_rule, :inline_auto_link, :inline_auto_mailto, :inline_toc]
27 RULES = [:textile, :block_markdown_rule, :inline_auto_link, :inline_auto_mailto, :inline_toc]
@@ -134,7 +135,8 module Redmine
134 url=url[0..-2] # discard closing parenth from url
135 url=url[0..-2] # discard closing parenth from url
135 post = ")"+post # add closing parenth to post
136 post = ")"+post # add closing parenth to post
136 end
137 end
137 %(#{leading}<a class="external" href="#{proto=="www."?"http://www.":proto}#{url}">#{proto + url}</a>#{post})
138 tag = content_tag('a', proto + url, :href => "#{proto=="www."?"http://www.":proto}#{url}", :class => 'external')
139 %(#{leading}#{tag}#{post})
138 end
140 end
139 end
141 end
140 end
142 end
@@ -146,7 +148,7 module Redmine
146 if text.match(/<a\b[^>]*>(.*)(#{Regexp.escape(mail)})(.*)<\/a>/)
148 if text.match(/<a\b[^>]*>(.*)(#{Regexp.escape(mail)})(.*)<\/a>/)
147 mail
149 mail
148 else
150 else
149 %{<a href="mailto:#{mail}" class="email">#{mail}</a>}
151 content_tag('a', mail, :href => "mailto:#{mail}", :class => "email")
150 end
152 end
151 end
153 end
152 end
154 end
Show file before | Show file after | Hide comments
@@ -60,12 +60,14 class ApplicationHelperTest < HelperTestCase
60 'sftp://foo.bar' => '<a class="external" href="sftp://foo.bar">sftp://foo.bar</a>',
60 'sftp://foo.bar' => '<a class="external" href="sftp://foo.bar">sftp://foo.bar</a>',
61 # two exclamation marks
61 # two exclamation marks
62 'http://example.net/path!602815048C7B5C20!302.html' => '<a class="external" href="http://example.net/path!602815048C7B5C20!302.html">http://example.net/path!602815048C7B5C20!302.html</a>',
62 'http://example.net/path!602815048C7B5C20!302.html' => '<a class="external" href="http://example.net/path!602815048C7B5C20!302.html">http://example.net/path!602815048C7B5C20!302.html</a>',
63 # escaping
64 'http://foo"bar' => '<a class="external" href="http://foo&quot;bar">http://foo"bar</a>',
63 }
65 }
64 to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
66 to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
65 end
67 end
66
68
67 def test_auto_mailto
69 def test_auto_mailto
68 assert_equal '<p><a href="mailto:test@foo.bar" class="email">test@foo.bar</a></p>',
70 assert_equal '<p><a class="email" href="mailto:test@foo.bar">test@foo.bar</a></p>',
69 textilizable('test@foo.bar')
71 textilizable('test@foo.bar')
70 end
72 end
71
73
@@ -130,6 +132,8 RAW
130 "\"system administrator\":mailto:sysadmin@example.com?subject=redmine%20permissions" => "<a href=\"mailto:sysadmin@example.com?subject=redmine%20permissions\">system administrator</a>",
132 "\"system administrator\":mailto:sysadmin@example.com?subject=redmine%20permissions" => "<a href=\"mailto:sysadmin@example.com?subject=redmine%20permissions\">system administrator</a>",
131 # two exclamation marks
133 # two exclamation marks
132 '"a link":http://example.net/path!602815048C7B5C20!302.html' => '<a href="http://example.net/path!602815048C7B5C20!302.html" class="external">a link</a>',
134 '"a link":http://example.net/path!602815048C7B5C20!302.html' => '<a href="http://example.net/path!602815048C7B5C20!302.html" class="external">a link</a>',
135 # escaping
136 '"test":http://foo"bar' => '<a href="http://foo&quot;bar" class="external">test</a>',
133 }
137 }
134 to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
138 to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
135 end
139 end
General Comments 0
You need to be logged in to leave comments. Login now