summaryrefslogtreecommitdiff
path: root/app/controllers/projects/milestones_controller.rb
diff options
context:
space:
mode:
authorFilipa Lacerda <filipa@gitlab.com>2018-07-16 11:49:01 +0100
committerFilipa Lacerda <filipa@gitlab.com>2018-07-17 10:21:12 +0100
commita0930b83ecfa0513990fcae8450726add1d9206d (patch)
tree8b41e3ef78c4b1d77b855050db7422c188e9d6f6 /app/controllers/projects/milestones_controller.rb
parentfc9f90045d930641690f75e9bae25683dc67a24e (diff)
downloadgitlab-ce-a0930b83ecfa0513990fcae8450726add1d9206d.tar.gz
Escapes milestone and label names when promoting them
Diffstat (limited to 'app/controllers/projects/milestones_controller.rb')
-rw-r--r--app/controllers/projects/milestones_controller.rb14
1 files changed, 11 insertions, 3 deletions
diff --git a/app/controllers/projects/milestones_controller.rb b/app/controllers/projects/milestones_controller.rb
index 17571935c1c..b9b3dcd5a85 100644
--- a/app/controllers/projects/milestones_controller.rb
+++ b/app/controllers/projects/milestones_controller.rb
@@ -1,5 +1,4 @@
class Projects::MilestonesController < Projects::ApplicationController
- include ActionView::Helpers::SanitizeHelper
include Gitlab::Utils::StrongMemoize
include MilestoneActions
@@ -77,8 +76,8 @@ class Projects::MilestonesController < Projects::ApplicationController
def promote
promoted_milestone = Milestones::PromoteService.new(project, current_user).execute(milestone)
- milestone_title = sanitize(milestone.title)
- flash[:notice] = "#{milestone_title} promoted to <a href=\"#{group_milestone_path(project.group, promoted_milestone.iid)}\"><u>group milestone</u></a>.".html_safe
+ flash[:notice] = flash_notice_for(promoted_milestone, project.group)
+
respond_to do |format|
format.html do
redirect_to project_milestones_path(project)
@@ -91,6 +90,15 @@ class Projects::MilestonesController < Projects::ApplicationController
redirect_to milestone, alert: error.message
end
+ def flash_notice_for(milestone, group)
+ notice = ''.html_safe
+ notice << milestone.title
+ notice << ' promoted to '
+ notice << view_context.link_to('<u>group milestone</u>'.html_safe, group_milestone_path(group, milestone.iid))
+ notice << '.'
+ notice
+ end
+
def destroy
return access_denied! unless can?(current_user, :admin_milestone, @project)