Escape title attributes in references

author: Robert Speicher <rspeicher@gmail.com> 2015-04-16 12:41:59 -0400
committer: Robert Speicher <rspeicher@gmail.com> 2015-04-20 13:01:46 -0400
commit: b905702d4f02afaf580d2d83afc9168af95073ca (patch)
tree: 1fd8ac04d75cd720f40c48e6f94b5b0c95de5f17 /app/helpers/labels_helper.rb
parent: a3c71d9898ac762ebec8800a68f8aaae7671773c (diff)
download: gitlab-ce-b905702d4f02afaf580d2d83afc9168af95073ca.tar.gz
1 files changed, 5 insertions, 2 deletions
diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb
index 0259829a059..8272c177d59 100644
--- a/app/helpers/labels_helper.rb
+++ b/app/helpers/labels_helper.rb
@@ -1,4 +1,6 @@
 module LabelsHelper
+  include ActionView::Helpers::TagHelper
+
   def project_label_names
     @project.labels.pluck(:title)
   end
@@ -11,7 +13,7 @@ module LabelsHelper
     # by LabelReferenceFilter
     span = %(<span class="label color-label") +
       %( style="background-color: #{label_color}; color: #{text_color}">) +
-      label.name + '</span>'
+      escape_once(label.name) + '</span>'
 
     span.html_safe
   end
@@ -56,5 +58,6 @@ module LabelsHelper
     options_from_collection_for_select(project.labels, 'name', 'name', params[:label_name])
   end
 
-  module_function :render_colored_label, :text_color_for_bg
+  # Required for Gitlab::Markdown::LabelReferenceFilter
+  module_function :render_colored_label, :text_color_for_bg, :escape_once
 end
author	Robert Speicher <rspeicher@gmail.com>	2015-04-16 12:41:59 -0400
committer	Robert Speicher <rspeicher@gmail.com>	2015-04-20 13:01:46 -0400
commit	b905702d4f02afaf580d2d83afc9168af95073ca (patch)
tree	1fd8ac04d75cd720f40c48e6f94b5b0c95de5f17 /app/helpers/labels_helper.rb
parent	a3c71d9898ac762ebec8800a68f8aaae7671773c (diff)
download	gitlab-ce-b905702d4f02afaf580d2d83afc9168af95073ca.tar.gz