Sanitize milestones and label titles
This commit is contained in:
parent
fad7b392dc
commit
d028863eda
5 changed files with 27 additions and 1 deletions
|
@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
|
||||||
LabelsHelper::text_color_for_bg(self.color)
|
LabelsHelper::text_color_for_bg(self.color)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def title= value
|
||||||
|
value = Sanitize.clean(value.to_s) if value
|
||||||
|
write_attribute(:title, Sanitize.clean(value))
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def label_format_reference(format = :id)
|
def label_format_reference(format = :id)
|
||||||
|
|
|
@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
|
||||||
nil
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def title= value
|
||||||
|
value = Sanitize.clean(value.to_s) if value
|
||||||
|
write_attribute(:title, value)
|
||||||
|
end
|
||||||
|
|
||||||
# Sorts the issues for the given IDs.
|
# Sorts the issues for the given IDs.
|
||||||
#
|
#
|
||||||
# This method runs a single SQL query using a CASE statement to update the
|
# This method runs a single SQL query using a CASE statement to update the
|
||||||
|
|
|
@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
|
||||||
milestone.update_attribute(:title, %{"></a>whatever<a title="})
|
milestone.update_attribute(:title, %{"></a>whatever<a title="})
|
||||||
|
|
||||||
doc = reference_filter("milestone #{reference}")
|
doc = reference_filter("milestone #{reference}")
|
||||||
expect(doc.text).to eq "milestone #{milestone.title}"
|
expect(doc.text).to eq "milestone \">whatever"
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'includes default classes' do
|
it 'includes default classes' do
|
||||||
|
|
|
@ -55,6 +55,14 @@ describe Label, models: true do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "#title" do
|
||||||
|
let(:label) { create(:label, title: "<b>test</b>") }
|
||||||
|
|
||||||
|
it "sanitizes title" do
|
||||||
|
expect(label.title).to eq("test")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe '#to_reference' do
|
describe '#to_reference' do
|
||||||
context 'using id' do
|
context 'using id' do
|
||||||
it 'returns a String reference to the object' do
|
it 'returns a String reference to the object' do
|
||||||
|
|
|
@ -34,6 +34,14 @@ describe Milestone, models: true do
|
||||||
let(:issue) { create(:issue) }
|
let(:issue) { create(:issue) }
|
||||||
let(:user) { create(:user) }
|
let(:user) { create(:user) }
|
||||||
|
|
||||||
|
describe "#title" do
|
||||||
|
let(:milestone) { create(:milestone, title: "<b>test</b>") }
|
||||||
|
|
||||||
|
it "sanitizes title" do
|
||||||
|
expect(milestone.title).to eq("test")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "unique milestone title per project" do
|
describe "unique milestone title per project" do
|
||||||
it "shouldn't accept the same title in a project twice" do
|
it "shouldn't accept the same title in a project twice" do
|
||||||
new_milestone = Milestone.new(project: milestone.project, title: milestone.title)
|
new_milestone = Milestone.new(project: milestone.project, title: milestone.title)
|
||||||
|
|
Loading…
Reference in a new issue