Allowing ">" to be used for Milestone models's title and storing the value in db as unescaped.

Updating test value for milestone title

Adding API test for title with reserved HTML characters.

Updating changelog

Adding the MR number for fixing bug #22452.

removing duplicate line

Updating MR number.
This commit is contained in:
Makoto Scott-Hinkle 2016-09-26 16:47:34 -07:00 committed by Makoto Scott-Hinkle
parent 80fef70bb7
commit 82b13a21a6
4 changed files with 16 additions and 3 deletions

View file

@ -20,6 +20,7 @@ v 8.13.0 (unreleased)
- Optimize GitHub importing for speed and memory - Optimize GitHub importing for speed and memory
- API: expose pipeline data in builds API (!6502, Guilherme Salazar) - API: expose pipeline data in builds API (!6502, Guilherme Salazar)
- Fix broken repository 500 errors in project list - Fix broken repository 500 errors in project list
- Fix unnecessary escaping of reserved HTML characters in milestone title. !6533
v 8.12.4 (unreleased) v 8.12.4 (unreleased)

View file

@ -158,7 +158,7 @@ class Milestone < ActiveRecord::Base
end end
def title=(value) def title=(value)
write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? write_attribute(:title, sanitize_title(value)) if value.present?
end end
# Sorts the issues for the given IDs. # Sorts the issues for the given IDs.
@ -204,4 +204,8 @@ class Milestone < ActiveRecord::Base
iid iid
end end
end end
def sanitize_title(value)
CGI.unescape_html(Sanitize.clean(value.to_s))
end
end end

View file

@ -20,10 +20,10 @@ describe Milestone, models: true do
let(:user) { create(:user) } let(:user) { create(:user) }
describe "#title" do describe "#title" do
let(:milestone) { create(:milestone, title: "<b>test</b>") } let(:milestone) { create(:milestone, title: "<b>foo & bar -> 2.2</b>") }
it "sanitizes title" do it "sanitizes title" do
expect(milestone.title).to eq("test") expect(milestone.title).to eq("foo & bar -> 2.2")
end end
end end

View file

@ -104,6 +104,14 @@ describe API::API, api: true do
expect(response).to have_http_status(400) expect(response).to have_http_status(400)
end end
it 'creates a new project with reserved html characters' do
post api("/projects/#{project.id}/milestones", user), title: 'foo & bar 1.1 -> 2.2'
expect(response).to have_http_status(201)
expect(json_response['title']).to eq('foo & bar 1.1 -> 2.2')
expect(json_response['description']).to be_nil
end
end end
describe 'PUT /projects/:id/milestones/:milestone_id' do describe 'PUT /projects/:id/milestones/:milestone_id' do