diff options
| author | Felipe Artur <felipefac@gmail.com> | 2016-05-04 18:21:57 -0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2016-05-05 16:37:49 -0300 |
| commit | d028863eda8b97f6e4db129ef57f0d3a2130c9b3 (patch) | |
| tree | 010e2d279ef301b4fa301815c9878983ffb240cf | |
| parent | fad7b392dc633fb689e657af8b7fad346ede416e (diff) | |
| download | gitlab-ce-issue_15394.tar.gz | |
Sanitize milestones and label titlesissue_15394
| -rw-r--r-- | app/models/label.rb | 5 | ||||
| -rw-r--r-- | app/models/milestone.rb | 5 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/milestone_reference_filter_spec.rb | 2 | ||||
| -rw-r--r-- | spec/models/label_spec.rb | 8 | ||||
| -rw-r--r-- | spec/models/milestone_spec.rb | 8 |
5 files changed, 27 insertions, 1 deletions
diff --git a/app/models/label.rb b/app/models/label.rb index 60bdce32952..0b34911a4e9 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -117,6 +117,11 @@ class Label < ActiveRecord::Base LabelsHelper::text_color_for_bg(self.color) end + def title= value + value = Sanitize.clean(value.to_s) if value + write_attribute(:title, Sanitize.clean(value)) + end + private def label_format_reference(format = :id) diff --git a/app/models/milestone.rb b/app/models/milestone.rb index 986184dd301..ed81791c69c 100644 --- a/app/models/milestone.rb +++ b/app/models/milestone.rb @@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base nil end + def title= value + value = Sanitize.clean(value.to_s) if value + write_attribute(:title, value) + end + # Sorts the issues for the given IDs. # # This method runs a single SQL query using a CASE statement to update the diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb index ebf3d7489b5..5beb61dac5c 100644 --- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb @@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do milestone.update_attribute(:title, %{"></a>whatever<a title="}) doc = reference_filter("milestone #{reference}") - expect(doc.text).to eq "milestone #{milestone.title}" + expect(doc.text).to eq "milestone \">whatever" end it 'includes default classes' do diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb index 0614ca1e7c9..b61c55a3f6d 100644 --- a/spec/models/label_spec.rb +++ b/spec/models/label_spec.rb @@ -55,6 +55,14 @@ describe Label, models: true do end end + describe "#title" do + let(:label) { create(:label, title: "<b>test</b>") } + + it "sanitizes title" do + expect(label.title).to eq("test") + end + end + describe '#to_reference' do context 'using id' do it 'returns a String reference to the object' do diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb index 72a4ea70228..e2c89a4b3e6 100644 --- a/spec/models/milestone_spec.rb +++ b/spec/models/milestone_spec.rb @@ -34,6 +34,14 @@ describe Milestone, models: true do let(:issue) { create(:issue) } let(:user) { create(:user) } + describe "#title" do + let(:milestone) { create(:milestone, title: "<b>test</b>") } + + it "sanitizes title" do + expect(milestone.title).to eq("test") + end + end + describe "unique milestone title per project" do it "shouldn't accept the same title in a project twice" do new_milestone = Milestone.new(project: milestone.project, title: milestone.title) |