meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2026-02-06 09:03:25 +00:00
Code Issues Releases Wiki Activity

filter all possibly class values on code tags in Textile (#25742)

Browse Source 
Contributed by Holger Just from Planio.

git-svn-id: http://svn.redmine.org/redmine/trunk@19333 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Toshi MARUYAMA 2019-12-05 11:25:24 +00:00
parent 62e626e680
commit 5876324372
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/redmine/wiki_formatting/textile/formatter.rb
View File

@ -123,9 +123,10 @@ module Redmine
## replace <pre> content
text.gsub!(/<redpre#(\d+)>/) do
content = @pre_list[$1.to_i]
if content.match(/<code\s+class=["'](\w+)["']>\s?(.+)/m)
language = $1
text = $2
# This regex must match any data produced by RedCloth3#rip_offtags
if content.match(/<code\s+class=(?:"([^"]+)"|'([^']+)')>\s?(.*)/m)
language = $1 || $2
text = $3
if Redmine::SyntaxHighlighting.language_supported?(language)
text.gsub!(/x%x%/, '&')
content = "<code class=\"#{language} syntaxhl\">" +

8
test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
View File

@ -562,9 +562,17 @@ class Redmine::WikiFormatting::TextileFormatterTest < ActionView::TestCase
def test_should_not_allow_arbitrary_class_attribute_on_offtags
%w(code pre kbd).each do |tag|
assert_html_output({"<#{tag} class=\"foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
assert_html_output({"<#{tag} class='foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
assert_html_output({"<#{tag} class=\"ruby foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
assert_html_output({"<#{tag} class='ruby foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
assert_html_output({"<#{tag} class=\"ruby \"foo\" bar\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
end
assert_html_output({"<notextile class=\"foo\">test</notextile>" => "test"}, false)
assert_html_output({"<notextile class='foo'>test</notextile>" => "test"}, false)
assert_html_output({"<notextile class=\"ruby foo\">test</notextile>" => "test"}, false)
assert_html_output({"<notextile class='ruby foo'>test</notextile>" => "test"}, false)
assert_html_output({"<notextile class=\"ruby \"foo\" bar\">test</notextile>" => "test"}, false)
end
def test_should_allow_valid_language_class_attribute_on_code_tags