meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 15:01:14 +00:00
Code Issues Releases Wiki Activity

Text in the "removed" part of a diff is double-escaped (#22115).

Browse Source 
Patch by Felix Schäfer.

git-svn-id: http://svn.redmine.org/redmine/trunk@15287 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2016-03-26 10:20:10 +00:00
parent 197ec295e0
commit 25eb92c0dc
2 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/redmine/helpers/diff.rb
View File

@ -23,6 +23,7 @@ module Redmine
include ERB::Util include ERB::Util
include ActionView::Helpers::TagHelper include ActionView::Helpers::TagHelper
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
include ActionView::Helpers::OutputSafetyHelper
attr_reader :diff, :words attr_reader :diff, :words
def initialize(content_to, content_from) def initialize(content_to, content_from)
@ -53,7 +54,7 @@ module Redmine
else else
del_at = pos unless del_at del_at = pos unless del_at
deleted << ' ' unless deleted.empty? deleted << ' ' unless deleted.empty?
deleted << h(change[2]) deleted << change[2]
words_del += 1 words_del += 1
end end
end end
@ -62,13 +63,14 @@ module Redmine
words[add_to] = words[add_to] + '</span>'.html_safe words[add_to] = words[add_to] + '</span>'.html_safe
end end
if del_at if del_at
words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe # deleted is not safe html at this point
words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe
dels += 1 dels += 1
del_off += words_del del_off += words_del
words_del = 0 words_del = 0
end end
end end
words.join(' ').html_safe safe_join(words, ' ')
end end
end end
end end

12
test/unit/lib/redmine/helpers/diff_test.rb
View File

@ -22,4 +22,16 @@ class DiffTest < ActiveSupport::TestCase
diff = Redmine::Helpers::Diff.new("foo", "bar") diff = Redmine::Helpers::Diff.new("foo", "bar")
assert_not_nil diff assert_not_nil diff
end end
def test_dont_double_escape
# 3 cases to test in the before: first word, last word, everything inbetween
before = "<stuff> with html & special chars</danger>"
# all words in after are treated equal
after = "other stuff <script>alert('foo');</alert>"
computed_diff = Redmine::Helpers::Diff.new(before, after).to_html
expected_diff = '<span class="diff_in">&lt;stuff&gt; with html &amp; special chars&lt;/danger&gt;</span> <span class="diff_out">other stuff &lt;script&gt;alert(&#39;foo&#39;);&lt;/alert&gt;</span>'
assert_equal computed_diff, expected_diff
end
end end