kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

More escaping!

Browse source
This commit is contained in:
Douwe Maan 2015-12-24 21:19:03 +01:00
parent 0ca74f7aad
commit 32543f3bd9
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/banzai/filter/abstract_reference_filter.rb
View file

@ -102,7 +102,7 @@ module Banzai
project = project_from_ref(project_ref)
if project && object = find_object(project, id)
title = escape_once(object_link_title(object))
title = object_link_title(object)
klass = reference_class(object_sym)
data = data_attribute(
@ -114,11 +114,11 @@ module Banzai
url = matches[:url] if matches.names.include?("url")
url ||= url_for_object(object, project)
text = link_text || escape_once(object_link_text(object, matches))
text = link_text || object_link_text(object, matches)
%(<a href="#{url}" #{data}
title="#{title}"
class="#{klass}">#{text}</a>)
title="#{escape_once(title)}"
class="#{klass}">#{escape_once(text)}</a>)
else
match
end

2
lib/banzai/filter/reference_filter.rb
View file

@ -44,7 +44,7 @@ module Banzai
# Returns a String
def data_attribute(attributes = {})
attributes[:reference_filter] = self.class.name.demodulize
attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{value}") }.join(" ")
attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}") }.join(" ")
end
def escape_once(html)