Allow '?', or '&' for label titles

1 files changed, 17 insertions, 3 deletions

diff --git a/app/models/label.rb b/app/models/label.rb
index 49c352cc239..115f38c6dfe 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -20,10 +20,10 @@ class Label < ActiveRecord::Base
   validates :color, color: true, allow_blank: false
   validates :project, presence: true, unless: Proc.new { |service| service.template? }
 
-  # Don't allow '?', '&', and ',' for label titles
+  # Don't allow ',' for label titles
   validates :title,
             presence: true,
-            format: { with: /\A[^&\?,]+\z/ },
+            format: { with: /\A[^,]+\z/ },
             uniqueness: { scope: :project_id }
 
   before_save :nullify_priority
@@ -114,7 +114,7 @@ class Label < ActiveRecord::Base
   end
 
   def title=(value)
-    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+    write_attribute(:title, sanitize_title(value)) if value.present?
   end
 
   private
@@ -132,4 +132,18 @@ class Label < ActiveRecord::Base
   def nullify_priority
     self.priority = nil if priority.blank?
   end
+
+  def sanitize_title(value)
+    unnescape_html_entities(Sanitize.clean(value.to_s))
+  end
+
+  def unnescape_html_entities(value)
+    value.to_s.gsub(/(&gt;)|(&lt;)|(&amp;)/, Label::TABLE_FOR_ESCAPE_HTML_ENTITIES.invert)
+  end
+
+  TABLE_FOR_ESCAPE_HTML_ENTITIES = {
+    '&' => '&amp;',
+    '<' => '&lt;',
+    '>' => '&gt;'
+  }
 end