Escaping the object_link_text on cross project milestone references

2016-04-04 23:09:44 -03:00 · 2016-04-04 23:09:44 -03:00 · 1ff896f2bf
commit 1ff896f2bf
parent 6d9794d42a
2 changed files with 7 additions and 1 deletions
--- a/lib/banzai/filter/milestone_reference_filter.rb
+++ b/lib/banzai/filter/milestone_reference_filter.rb
@ -39,7 +39,7 @@ module Banzai
        if context[:project] == object.project
          super
        else
-          "#{super} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
+          "#{escape_once(super)} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
            html_safe
        end
      end
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@ -176,5 +176,11 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
    it 'contains cross project content' do
      expect(result.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
    end
+
+    it 'escapes the name attribute' do
+      allow_any_instance_of(Milestone).to receive(:title).and_return(%{"></a>whatever<a title="})
+      doc = reference_filter("See #{reference}")
+      expect(doc.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
+    end
  end
 end