From bed60b8c47acd11569da7cf5dc5bdb545ac97784 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@selenight.nl>
Date: Thu, 15 Feb 2018 12:06:57 +0100
Subject: [PATCH] Escape HTML entities in commit messages

---
 changelogs/unreleased/dm-escape-commit-message.yml | 5 +++++
 lib/banzai/filter/html_entity_filter.rb            | 2 +-
 spec/helpers/events_helper_spec.rb                 | 4 ++++
 spec/lib/banzai/filter/html_entity_filter_spec.rb  | 9 ++-------
 4 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 changelogs/unreleased/dm-escape-commit-message.yml

diff --git a/changelogs/unreleased/dm-escape-commit-message.yml b/changelogs/unreleased/dm-escape-commit-message.yml
new file mode 100644
index 00000000000..89af2da3484
--- /dev/null
+++ b/changelogs/unreleased/dm-escape-commit-message.yml
@@ -0,0 +1,5 @@
+---
+title: Escape HTML entities in commit messages
+merge_request:
+author:
+type: fixed
diff --git a/lib/banzai/filter/html_entity_filter.rb b/lib/banzai/filter/html_entity_filter.rb
index f3bd587c28b..e008fd428b0 100644
--- a/lib/banzai/filter/html_entity_filter.rb
+++ b/lib/banzai/filter/html_entity_filter.rb
@@ -5,7 +5,7 @@ module Banzai
     # Text filter that escapes these HTML entities: & " < >
     class HtmlEntityFilter < HTML::Pipeline::TextFilter
       def call
-        ERB::Util.html_escape_once(text)
+        ERB::Util.html_escape(text)
       end
     end
   end
diff --git a/spec/helpers/events_helper_spec.rb b/spec/helpers/events_helper_spec.rb
index 8a80b88da5d..fccde8b7eba 100644
--- a/spec/helpers/events_helper_spec.rb
+++ b/spec/helpers/events_helper_spec.rb
@@ -20,5 +20,9 @@ describe EventsHelper do
     it 'handles nil values' do
       expect(helper.event_commit_title(nil)).to eq('')
     end
+
+    it 'does not escape HTML entities' do
+      expect(helper.event_commit_title("foo & bar")).to eq("foo & bar")
+    end
   end
 end
diff --git a/spec/lib/banzai/filter/html_entity_filter_spec.rb b/spec/lib/banzai/filter/html_entity_filter_spec.rb
index 91e18d876d5..43e85cbcb24 100644
--- a/spec/lib/banzai/filter/html_entity_filter_spec.rb
+++ b/spec/lib/banzai/filter/html_entity_filter_spec.rb
@@ -3,17 +3,12 @@ require 'spec_helper'
 describe Banzai::Filter::HtmlEntityFilter do
   include FilterSpecHelper
 
-  let(:unescaped) { 'foo <strike attr="foo">&&&</strike>' }
-  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;&amp;&lt;/strike&gt;' }
+  let(:unescaped) { 'foo <strike attr="foo">&&amp;</strike>' }
+  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;amp;&amp;&lt;/strike&gt;' }
 
   it 'converts common entities to their HTML-escaped equivalents' do
     output = filter(unescaped)
 
     expect(output).to eq(escaped)
   end
-
-  it 'does not double-escape' do
-    escaped = ERB::Util.html_escape("Merge branch 'blabla' into 'master'")
-    expect(filter(escaped)).to eq(escaped)
-  end
 end