Merge branch 'bugfix-htmlenc' into 'master'

decode user/namespace names before display

See merge request !10085

3 files changed, 17 insertions, 1 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 4b01c2f19f0..2d39b1c1c34 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -699,7 +699,7 @@ class User < ActiveRecord::Base
   end
 
   def sanitize_attrs
-    %w[name username skype linkedin twitter].each do |attr|
+    %w[username skype linkedin twitter].each do |attr|
       value = public_send(attr)
       public_send("#{attr}=", Sanitize.clean(value)) if value.present?
     end
diff --git a/changelogs/unreleased/10085-stop-encoding-user-name.yml b/changelogs/unreleased/10085-stop-encoding-user-name.yml
new file mode 100644
index 00000000000..8fab474e047
--- /dev/null
+++ b/changelogs/unreleased/10085-stop-encoding-user-name.yml
@@ -0,0 +1,4 @@
+---
+title: "Insert user name directly without encoding"
+merge_request: 10085
+author: Nathan Neulinger <nneul@neulinger.org>
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index d04162a527f..c70f916a8bd 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1159,6 +1159,18 @@ describe User, models: true do
     end
   end
 
+  describe '#sanitize_attrs' do
+    let(:user) { build(:user, name: 'test & user', skype: 'test&user') }
+
+    it 'encodes HTML entities in the Skype attribute' do
+      expect { user.sanitize_attrs }.to change { user.skype }.to('test&amp;user')
+    end
+
+    it 'does not encode HTML entities in the name attribute' do
+      expect { user.sanitize_attrs }.not_to change { user.name }
+    end
+  end
+
   describe '#starred?' do
     it 'determines if user starred a project' do
       user = create :user