Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-14 09:16:02 +01:00
Code Issues Packages Projects Releases Activity

Fix mentioning users with certain characters renders incorrectly (#37755).

Browse Source 
Patch Mizuki ISHIKAWA.


git-svn-id: https://svn.redmine.org/redmine/trunk@21986 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2022-12-03 13:21:17 +00:00
parent c8f3841ec8
commit 0b72c5bfa7
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/helpers/application_helper.rb
View File

@@ -60,7 +60,7 @@ module ApplicationHelper
case principal case principal
when User when User
name = h(principal.name(options[:format])) name = h(principal.name(options[:format]))
name = "@" + name if options[:mention] name = "@".html_safe + name if options[:mention]
css_classes = '' css_classes = ''
if principal.active? || (User.current.admin? && principal.logged?) if principal.active? || (User.current.admin? && principal.logged?)
url = user_url(principal, :only_path => only_path) url = user_url(principal, :only_path => only_path)

10
test/helpers/application_helper_test.rb
View File

@@ -1841,6 +1841,16 @@ class ApplicationHelperTest < Redmine::HelperTest
assert_equal result, link_to_principal(unknown_principal, :class => 'bar') assert_equal result, link_to_principal(unknown_principal, :class => 'bar')
end end
def test_link_to_principal_should_escape_principal_name
user = User.generate!(firstname: "firstname<>'", lastname: 'lastname&"')
group = Group.generate!(lastname: "group<>'&")
assert_include "firstname&lt;&gt;&#39; lastname&amp;&quot;", link_to_principal(user)
assert_include "@firstname&lt;&gt;&#39; lastname&amp;&quot;", link_to_principal(user, { mention: true })
assert_include "group&lt;&gt;&#39;&amp;", link_to_principal(group)
assert_include "&lt;&gt;&#39;&amp;", link_to_principal("<>'&")
end
def test_link_to_group_should_return_only_group_name_for_non_admin_users def test_link_to_group_should_return_only_group_name_for_non_admin_users
User.current = nil User.current = nil
group = Group.find(10) group = Group.find(10)