jro_apps/redmine Commit - r15059:ee408687c61d

Merged r15431 to r15435 (#22924, #22925, #22926)....

Jean-Philippe Lang -

r15059:ee408687c61d

parent child

Context file:

r15059:ee408687c61d

Collapse all files

lib/redmine/helpers/url.rb created 644 +35 0

@@ -0,0 +1,35
	1	# Redmine - project management software
	2	# Copyright (C) 2006-2016 Jean-Philippe Lang
	3	#
	4	# This program is free software; you can redistribute it and/or
	5	# modify it under the terms of the GNU General Public License
	6	# as published by the Free Software Foundation; either version 2
	7	# of the License, or (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
	17
	18	require 'uri'
	19
	20	module Redmine
	21	module Helpers
	22	module URL
	23	def uri_with_safe_scheme?(uri, schemes = ['http', 'https', 'ftp', 'mailto', nil])
	24	# URLs relative to the current document or document root (without a protocol
	25	# separator, should be harmless
	26	return true unless uri.include? ":"
	27
	28	# Other URLs need to be parsed
	29	schemes.include? URI.parse(uri).scheme
	30	rescue URI::InvalidURIError
	31	false
	32	end
	33	end
	34	end
	35	end

app/helpers/application_helper.rb +1 0

               include Redmine::SudoMode::Helper
               include Redmine::Themes::Helper
               include Redmine::Hook::Helper
+              include Redmine::Helpers::URL
               extend Forwardable
               def_delegators :wiki_helper, :wikitoolbar_for, :heads_for_wiki_formatter

app/models/custom_field.rb +8 0

                 args.include?(field_format)
               end
+              def self.human_attribute_name(attribute_key_name, *args)
+                attr_name = attribute_key_name.to_s
+                if attr_name == 'url_pattern'
+                  attr_name = "url"
+                end
+                super(attr_name, *args)
+              end
               protected
               # Removes multiple values for the custom field after setting the multiple attribute to false

app/views/projects/show.html.erb +1 -1

               <% if @project.homepage.present? || @subprojects.any? || @project.visible_custom_field_values.any?(&:present?) %>
               <ul>
               <% unless @project.homepage.blank? %>
-                <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to @project.homepage, @project.homepage %></li>
+                <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to_if uri_with_safe_scheme?(@project.homepage), @project.homepage, @project.homepage %></li>
               <% end %>
               <% if @subprojects.any? %>
                 <li><span class="label"><%=l(:label_subproject_plural)%>:</span>

lib/redcloth3.rb +3 0

             #  class RedCloth::Textile.new( str )
             class RedCloth3 < String
+                include Redmine::Helpers::URL
                 VERSION = '3.0.4'
                 DEFAULT_RULES = [:textile, :markdown]
                         href, alt_title = check_refs( href ) if href
                         url, url_title = check_refs( url )
+                        return m unless uri_with_safe_scheme?(url)
                         out = ''
                         out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
                         out << "<img#{ shelve( atts ) } />"

lib/redmine/field_format.rb +15 -2

                 class Base
                   include Singleton
                   include Redmine::I18n
+                  include Redmine::Helpers::URL
                   include ERB::Util
                   class_attribute :format_name
                   # Returns the validation errors for custom_field
                   # Should return an empty array if custom_field is valid
                   def validate_custom_field(custom_field)
-                    []
+                    errors = []
+                    pattern = custom_field.url_pattern
+                    if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern))
+                      errors << [:url_pattern, :invalid]
+                    end
+                    errors
                   end
                   # Returns the validation error messages for custom_value
                         url = url_from_pattern(custom_field, single_value, customized)
                         [text, url]
                       end
-                      links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url}
+                      links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url}
                       links.join(', ').html_safe
                     else
                       casted
                   end
                   protected :url_from_pattern
+                  # Returns the URL pattern with substitution tokens removed,
+                  # for validation purpose
+                  def url_pattern_without_tokens(url_pattern)
+                    url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '')
+                  end
+                  protected :url_pattern_without_tokens
                   def edit_tag(view, tag_id, tag_name, custom_value, options={})
                     view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id))
                   end

lib/redmine/wiki_formatting/markdown/formatter.rb +9 0

                 module Markdown
                   class HTML < Redcarpet::Render::HTML
                     include ActionView::Helpers::TagHelper
+                    include Redmine::Helpers::URL
                     def link(link, title, content)
+                      return nil unless uri_with_safe_scheme?(link)
                       css = nil
                       unless link && link.starts_with?('/')
                         css = 'external'
                         "<pre>" + CGI.escapeHTML(code) + "</pre>"
                       end
                     end
+                    def image(link, title, alt_text)
+                      return unless uri_with_safe_scheme?(link)
+                      tag('img', :src => link, :alt => alt_text || "", :title => title)
+                    end
                   end
                   class Formatter

test/unit/helpers/application_helper_test.rb +1 -1

                 attachment = Attachment.generate!(:filename => 'café.jpg')
                 with_settings :text_formatting => 'markdown' do
-                  assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="">),
+                  assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="" />),
                     textilizable("![](café.jpg)", :attachments => [attachment])
                 end
               end

test/unit/lib/redmine/field_format/field_format_test.rb +15 0

             class Redmine::FieldFormatTest < ActionView::TestCase
               include ApplicationHelper
+              def setup
+                set_language_if_valid 'en'
+              end
               def test_string_field_with_text_formatting_disabled_should_not_format_text
                 field = IssueCustomField.new(:field_format => 'string')
                 custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "*foo*")
                 assert_include "<strong>foo</strong>", field.format.formatted_custom_value(self, custom_value, true)
               end
+              def test_should_validate_url_pattern_with_safe_scheme
+                field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'http://foo/%value%')
+                assert_save field
+              end
+              def test_should_not_validate_url_pattern_with_unsafe_scheme
+                field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'foo://foo/%value%')
+                assert !field.save
+                assert_include "URL is invalid", field.errors.full_messages
+              end
               def test_text_field_with_url_pattern_should_format_as_link
                 field = IssueCustomField.new(:field_format => 'string', :url_pattern => 'http://foo/%value%')
                 custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar")

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages