Merge branch '22452-milestone-title-unnecessary-escaping-fix' into 'master'

This MR fixes a bug that unnecessary escapes reserved HTML characters for Milestone's title. See #22452. ## Are there points in the code the reviewer needs to double check? - Unescaping of sanitized milestone title before it is being stored in the database. See `Milestone#title` and a private method called `Milestone#sanitize_title` - Sufficient tests were added (Model and API tests were modified/added). ## Why was this MR needed? To allow reserved HTML characters in a milestone's title, such as "PHP migration 5.6 -> 7.0". The text appears in 'milestones' and in a dropdown during issue creation, issue list, and in another dropdown for issue filter. Closes #22452 See merge request !6533
2016-09-30 09:27:28 +00:00 · 2016-09-30 09:27:28 +00:00 · f9887a10d4
commit f9887a10d4
parent dde9623183 c81c853a0d
4 changed files with 16 additions and 3 deletions
--- a/1
+++ b/1
@ -15,6 +15,7 @@ v 8.13.0 (unreleased)
  - Revoke button in Applications Settings underlines on hover.
  - Fix Long commit messages overflow viewport in file tree
  - Update ruby-prof to 0.16.2. !6026 (Elan Ruusamäe)
+  - Fix unnecessary escaping of reserved HTML characters in milestone title. !6533
  - Add organization field to user profile
  - Fix resolved discussion display in side-by-side diff view !6575
  - Optimize GitHub importing for speed and memory
--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@ -158,7 +158,7 @@ class Milestone < ActiveRecord::Base
  end

  def title=(value)
-    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+    write_attribute(:title, sanitize_title(value)) if value.present?
  end

  # Sorts the issues for the given IDs.
@ -204,4 +204,8 @@ class Milestone < ActiveRecord::Base
      iid
    end
  end
+
+  def sanitize_title(value)
+    CGI.unescape_html(Sanitize.clean(value.to_s))
+  end
 end
--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@ -20,10 +20,10 @@ describe Milestone, models: true do
  let(:user) { create(:user) }

  describe "#title" do
-    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+    let(:milestone) { create(:milestone, title: "<b>foo & bar -> 2.2</b>") }

    it "sanitizes title" do
-      expect(milestone.title).to eq("test")
+      expect(milestone.title).to eq("foo & bar -> 2.2")
    end
  end

--- a/spec/requests/api/milestones_spec.rb
+++ b/spec/requests/api/milestones_spec.rb
@ -104,6 +104,14 @@ describe API::API, api: true  do

      expect(response).to have_http_status(400)
    end
+
+    it 'creates a new project with reserved html characters' do
+      post api("/projects/#{project.id}/milestones", user), title: 'foo & bar 1.1 -> 2.2'
+
+      expect(response).to have_http_status(201)
+      expect(json_response['title']).to eq('foo & bar 1.1 -> 2.2')
+      expect(json_response['description']).to be_nil
+    end
  end

  describe 'PUT /projects/:id/milestones/:milestone_id' do