kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Escape all the things.

Browse source
This commit is contained in:
Douwe Maan 2015-12-24 21:36:33 +01:00
parent e3befaed82
commit 37993d3957
5 changed files with 20 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
lib/banzai/filter/abstract_reference_filter.rb
View file

@ -98,7 +98,7 @@ module Banzai
project = project_from_ref(project_ref) project = project_from_ref(project_ref)
if project && object = find_object(project, id) if project && object = find_object(project, id)
title = escape_once(object_link_title(object)) title = object_link_title(object)
klass = reference_class(object_sym) klass = reference_class(object_sym)
data = data_attribute( data = data_attribute(
@ -110,17 +110,11 @@ module Banzai
url = matches[:url] if matches.names.include?("url") url = matches[:url] if matches.names.include?("url")
url ||= url_for_object(object, project) url ||= url_for_object(object, project)
text = link_text text = link_text || object_link_text(object, matches)
unless text
text = object.reference_link_text(context[:project])
extras = object_link_text_extras(object, matches)
text += " (#{extras.join(", ")})" if extras.any?
end
%(<a href="#{url}" #{data} %(<a href="#{url}" #{data}
title="#{title}" title="#{escape_once(title)}"
class="#{klass}">#{text}</a>) class="#{klass}">#{escape_once(text)}</a>)
else else
match match
end end
@ -140,6 +134,15 @@ module Banzai
def object_link_title(object) def object_link_title(object)
"#{object_class.name.titleize}: #{object.title}" "#{object_class.name.titleize}: #{object.title}"
end end
def object_link_text(object, matches)
text = object.reference_link_text(context[:project])
extras = object_link_text_extras(object, matches)
text += " (#{extras.join(", ")})" if extras.any?
text
end
end end
end end
end end

6
lib/banzai/filter/external_issue_reference_filter.rb
View file

@ -63,15 +63,15 @@ module Banzai
url = url_for_issue(id, project, only_path: context[:only_path]) url = url_for_issue(id, project, only_path: context[:only_path])
title = escape_once("Issue in #{project.external_issue_tracker.title}") title = "Issue in #{project.external_issue_tracker.title}"
klass = reference_class(:issue) klass = reference_class(:issue)
data = data_attribute(project: project.id, external_issue: id) data = data_attribute(project: project.id, external_issue: id)
text = link_text || match text = link_text || match
%(<a href="#{url}" #{data} %(<a href="#{url}" #{data}
title="#{title}" title="#{escape_once(title)}"
class="#{klass}">#{text}</a>) class="#{klass}">#{escape_once(text)}</a>)
end end
end end

2
lib/banzai/filter/label_reference_filter.rb
View file

@ -60,7 +60,7 @@ module Banzai
text = link_text || render_colored_label(label) text = link_text || render_colored_label(label)
%(<a href="#{url}" #{data} %(<a href="#{url}" #{data}
class="#{klass}">#{text}</a>) class="#{klass}">#{escape_once(text)}</a>)
else else
match match
end end

4
lib/banzai/filter/reference_filter.rb
View file

@ -44,11 +44,11 @@ module Banzai
# Returns a String # Returns a String
def data_attribute(attributes = {}) def data_attribute(attributes = {})
attributes[:reference_filter] = self.class.name.demodulize attributes[:reference_filter] = self.class.name.demodulize
attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{value}") }.join(" ") attributes.map { |key, value| %Q(data-#{key.to_s.dasherize}="#{escape_once(value)}") }.join(" ")
end end
def escape_once(html) def escape_once(html)
ERB::Util.html_escape_once(html) html.html_safe? ? html : ERB::Util.html_escape_once(html)
end end
def ignore_parents def ignore_parents

2
lib/banzai/filter/user_reference_filter.rb
View file

@ -122,7 +122,7 @@ module Banzai
end end
def link_tag(url, data, text) def link_tag(url, data, text)
%(<a href="#{url}" #{data} class="#{link_class}">#{text}</a>) %(<a href="#{url}" #{data} class="#{link_class}">#{escape_once(text)}</a>)
end end
end end
end end