summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorRobert Speicher <robert@gitlab.com>2015-12-24 22:19:36 +0000
committerRobert Speicher <rspeicher@gmail.com>2015-12-24 17:20:02 -0500
commit476f6238b9b8f6541304c952a5b4250b1573380e (patch)
treeea341ee86d909c04f8996d5215a8b2cb439e78f3 /lib
parent8c208a90eb84e44ff30b1c1ddf5234edf22d62fa (diff)
downloadgitlab-ce-476f6238b9b8f6541304c952a5b4250b1573380e.tar.gz
Merge branch 'ref-filter-html' into 'master'
Escape all the things. See merge request !2209
Diffstat (limited to 'lib')
-rw-r--r--lib/banzai/filter/abstract_reference_filter.rb23
-rw-r--r--lib/banzai/filter/external_issue_reference_filter.rb6
-rw-r--r--lib/banzai/filter/label_reference_filter.rb2
-rw-r--r--lib/banzai/filter/reference_filter.rb4
-rw-r--r--lib/banzai/filter/user_reference_filter.rb2
5 files changed, 20 insertions, 17 deletions
diff --git a/lib/banzai/filter/abstract_reference_filter.rb b/lib/banzai/filter/abstract_reference_filter.rb
index bdaa4721b4b..63ad8910c0f 100644
--- a/lib/banzai/filter/abstract_reference_filter.rb
+++ b/lib/banzai/filter/abstract_reference_filter.rb
@@ -98,7 +98,7 @@ module Banzai
project = project_from_ref(project_ref)
if project && object = find_object(project, id)
- title = escape_once(object_link_title(object))
+ title = object_link_title(object)
klass = reference_class(object_sym)
data = data_attribute(
@@ -110,17 +110,11 @@ module Banzai
url = matches[:url] if matches.names.include?("url")
url ||= url_for_object(object, project)
- text = link_text
- unless text
- text = object.reference_link_text(context[:project])
-
- extras = object_link_text_extras(object, matches)
- text += " (#{extras.join(", ")})" if extras.any?
- end
+ text = link_text || object_link_text(object, matches)
%(<a href="#{url}" #{data}
- title="#{title}"
- class="#{klass}">#{text}</a>)
+ title="#{escape_once(title)}"
+ class="#{klass}">#{escape_once(text)}</a>)
else
match
end
@@ -140,6 +134,15 @@ module Banzai
def object_link_title(object)
"#{object_class.name.titleize}: #{object.title}"
end
+
+ def object_link_text(object, matches)
+ text = object.reference_link_text(context[:project])
+
+ extras = object_link_text_extras(object, matches)
+ text += " (#{extras.join(", ")})" if extras.any?
+
+ text
+ end
end
end
end
diff --git a/lib/banzai/filter/external_issue_reference_filter.rb b/lib/banzai/filter/external_issue_reference_filter.rb
index f5942740cd6..6136e73c096 100644
--- a/lib/banzai/filter/external_issue_reference_filter.rb
+++ b/lib/banzai/filter/external_issue_reference_filter.rb
@@ -63,15 +63,15 @@ module Banzai
url = url_for_issue(id, project, only_path: context[:only_path])
- title = escape_once("Issue in #{project.external_issue_tracker.title}")
+ title = "Issue in #{project.external_issue_tracker.title}"
klass = reference_class(:issue)
data = data_attribute(project: project.id, external_issue: id)
text = link_text || match
%(<a href="#{url}" #{data}
- title="#{title}"
- class="#{klass}">#{text}</a>)
+ title="#{escape_once(title)}"
+ class="#{klass}">#{escape_once(text)}</a>)
end
end
diff --git a/lib/banzai/filter/label_reference_filter.rb b/lib/banzai/filter/label_reference_filter.rb
index 07bac2dd7fd..a3a7a23c1e6 100644
--- a/lib/banzai/filter/label_reference_filter.rb
+++ b/lib/banzai/filter/label_reference_filter.rb
@@ -60,7 +60,7 @@ module Banzai
text = link_text || render_colored_label(label)
%(<a href="#{url}" #{data}
- class="#{klass}">#{text}</a>)
+ class="#{klass}">#{escape_once(text)}</a>)
else
match
end
diff --git a/lib/banzai/filter/reference_filter.rb b/lib/banzai/filter/reference_filter.rb
index 33457a3f361..a22a7a7afd3 100644
--- a/lib/banzai/filter/reference_filter.rb
+++ b/lib/banzai/filter/reference_filter.rb
@@ -44,11 +44,11 @@ module Banzai
# Returns a String
def data_attribute(attributes = {})
attributes[:reference_filter] = self.class.name.demodulize
- attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{value}") }.join(" ")
+ attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}") }.join(" ")
end
def escape_once(html)
- ERB::Util.html_escape_once(html)
+ html.html_safe? ? html : ERB::Util.html_escape_once(html)
end
def ignore_parents
diff --git a/lib/banzai/filter/user_reference_filter.rb b/lib/banzai/filter/user_reference_filter.rb
index 67c24faf991..7f302d51dd7 100644
--- a/lib/banzai/filter/user_reference_filter.rb
+++ b/lib/banzai/filter/user_reference_filter.rb
@@ -122,7 +122,7 @@ module Banzai
end
def link_tag(url, data, text)
- %(<a href="#{url}" #{data} class="#{link_class}">#{text}</a>)
+ %(<a href="#{url}" #{data} class="#{link_class}">#{escape_once(text)}</a>)
end
end
end