summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app/models/label.rb5
-rw-r--r--app/models/milestone.rb5
-rw-r--r--spec/lib/banzai/filter/milestone_reference_filter_spec.rb2
-rw-r--r--spec/models/label_spec.rb8
-rw-r--r--spec/models/milestone_spec.rb8
5 files changed, 27 insertions, 1 deletions
diff --git a/app/models/label.rb b/app/models/label.rb
index 60bdce32952..0b34911a4e9 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
LabelsHelper::text_color_for_bg(self.color)
end
+ def title= value
+ value = Sanitize.clean(value.to_s) if value
+ write_attribute(:title, Sanitize.clean(value))
+ end
+
private
def label_format_reference(format = :id)
diff --git a/app/models/milestone.rb b/app/models/milestone.rb
index 986184dd301..ed81791c69c 100644
--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
nil
end
+ def title= value
+ value = Sanitize.clean(value.to_s) if value
+ write_attribute(:title, value)
+ end
+
# Sorts the issues for the given IDs.
#
# This method runs a single SQL query using a CASE statement to update the
diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
index ebf3d7489b5..5beb61dac5c 100644
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
milestone.update_attribute(:title, %{"></a>whatever<a title="})
doc = reference_filter("milestone #{reference}")
- expect(doc.text).to eq "milestone #{milestone.title}"
+ expect(doc.text).to eq "milestone \">whatever"
end
it 'includes default classes' do
diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb
index 0614ca1e7c9..b61c55a3f6d 100644
--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@@ -55,6 +55,14 @@ describe Label, models: true do
end
end
+ describe "#title" do
+ let(:label) { create(:label, title: "<b>test</b>") }
+
+ it "sanitizes title" do
+ expect(label.title).to eq("test")
+ end
+ end
+
describe '#to_reference' do
context 'using id' do
it 'returns a String reference to the object' do
diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb
index 72a4ea70228..e2c89a4b3e6 100644
--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@@ -34,6 +34,14 @@ describe Milestone, models: true do
let(:issue) { create(:issue) }
let(:user) { create(:user) }
+ describe "#title" do
+ let(:milestone) { create(:milestone, title: "<b>test</b>") }
+
+ it "sanitizes title" do
+ expect(milestone.title).to eq("test")
+ end
+ end
+
describe "unique milestone title per project" do
it "shouldn't accept the same title in a project twice" do
new_milestone = Milestone.new(project: milestone.project, title: milestone.title)
View Lorry Controller Status