diff options
| author | Douwe Maan <douwe@selenight.nl> | 2018-02-15 12:06:57 +0100 |
|---|---|---|
| committer | Douwe Maan <douwe@selenight.nl> | 2018-02-15 12:07:03 +0100 |
| commit | bed60b8c47acd11569da7cf5dc5bdb545ac97784 (patch) | |
| tree | 9f9e76dd1b1fec8b00a98fe2a282c82e670d7069 | |
| parent | 2b3313697f370d31abdda4177701ba20b66ba3e6 (diff) | |
| download | gitlab-ce-bed60b8c47acd11569da7cf5dc5bdb545ac97784.tar.gz | |
Escape HTML entities in commit messages
| -rw-r--r-- | changelogs/unreleased/dm-escape-commit-message.yml | 5 | ||||
| -rw-r--r-- | lib/banzai/filter/html_entity_filter.rb | 2 | ||||
| -rw-r--r-- | spec/helpers/events_helper_spec.rb | 4 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/html_entity_filter_spec.rb | 9 |
4 files changed, 12 insertions, 8 deletions
diff --git a/changelogs/unreleased/dm-escape-commit-message.yml b/changelogs/unreleased/dm-escape-commit-message.yml new file mode 100644 index 00000000000..89af2da3484 --- /dev/null +++ b/changelogs/unreleased/dm-escape-commit-message.yml @@ -0,0 +1,5 @@ +--- +title: Escape HTML entities in commit messages +merge_request: +author: +type: fixed diff --git a/lib/banzai/filter/html_entity_filter.rb b/lib/banzai/filter/html_entity_filter.rb index f3bd587c28b..e008fd428b0 100644 --- a/lib/banzai/filter/html_entity_filter.rb +++ b/lib/banzai/filter/html_entity_filter.rb @@ -5,7 +5,7 @@ module Banzai # Text filter that escapes these HTML entities: & " < > class HtmlEntityFilter < HTML::Pipeline::TextFilter def call - ERB::Util.html_escape_once(text) + ERB::Util.html_escape(text) end end end diff --git a/spec/helpers/events_helper_spec.rb b/spec/helpers/events_helper_spec.rb index 8a80b88da5d..fccde8b7eba 100644 --- a/spec/helpers/events_helper_spec.rb +++ b/spec/helpers/events_helper_spec.rb @@ -20,5 +20,9 @@ describe EventsHelper do it 'handles nil values' do expect(helper.event_commit_title(nil)).to eq('') end + + it 'does not escape HTML entities' do + expect(helper.event_commit_title("foo & bar")).to eq("foo & bar") + end end end diff --git a/spec/lib/banzai/filter/html_entity_filter_spec.rb b/spec/lib/banzai/filter/html_entity_filter_spec.rb index 91e18d876d5..43e85cbcb24 100644 --- a/spec/lib/banzai/filter/html_entity_filter_spec.rb +++ b/spec/lib/banzai/filter/html_entity_filter_spec.rb @@ -3,17 +3,12 @@ require 'spec_helper' describe Banzai::Filter::HtmlEntityFilter do include FilterSpecHelper - let(:unescaped) { 'foo <strike attr="foo">&&&</strike>' } - let(:escaped) { 'foo <strike attr="foo">&&&</strike>' } + let(:unescaped) { 'foo <strike attr="foo">&&</strike>' } + let(:escaped) { 'foo <strike attr="foo">&&amp;&</strike>' } it 'converts common entities to their HTML-escaped equivalents' do output = filter(unescaped) expect(output).to eq(escaped) end - - it 'does not double-escape' do - escaped = ERB::Util.html_escape("Merge branch 'blabla' into 'master'") - expect(filter(escaped)).to eq(escaped) - end end |