Escaping the object_link_text
on cross project milestone references
This commit is contained in:
parent
6d9794d42a
commit
1ff896f2bf
2 changed files with 7 additions and 1 deletions
|
@ -39,7 +39,7 @@ module Banzai
|
|||
if context[:project] == object.project
|
||||
super
|
||||
else
|
||||
"#{super} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
|
||||
"#{escape_once(super)} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
|
||||
html_safe
|
||||
end
|
||||
end
|
||||
|
|
|
@ -176,5 +176,11 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
|
|||
it 'contains cross project content' do
|
||||
expect(result.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
|
||||
end
|
||||
|
||||
it 'escapes the name attribute' do
|
||||
allow_any_instance_of(Milestone).to receive(:title).and_return(%{"></a>whatever<a title="})
|
||||
doc = reference_filter("See #{reference}")
|
||||
expect(doc.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue