meineerde/redmine
1
0
Fork 0
mirror of https://github.com/meineerde/redmine.git synced 2025-12-19 15:01:14 +00:00
Code Issues Releases Wiki Activity

Limits the schemes that inline images can use (#22926).

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@15433 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2016-06-01 17:32:35 +00:00
parent 1be535443a
commit a4bc898012
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/redcloth3.rb
View File

@ -165,6 +165,7 @@
# class RedCloth::Textile.new( str ) # class RedCloth::Textile.new( str )
class RedCloth3 < String class RedCloth3 < String
include Redmine::Helpers::URL
VERSION = '3.0.4' VERSION = '3.0.4'
DEFAULT_RULES = [:textile, :markdown] DEFAULT_RULES = [:textile, :markdown]
@ -960,6 +961,8 @@ class RedCloth3 < String
href, alt_title = check_refs( href ) if href href, alt_title = check_refs( href ) if href
url, url_title = check_refs( url ) url, url_title = check_refs( url )
return m unless uri_with_safe_scheme?(url)
out = '' out = ''
out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
out << "<img#{ shelve( atts ) } />" out << "<img#{ shelve( atts ) } />"

6
lib/redmine/wiki_formatting/markdown/formatter.rb
View File

@ -43,6 +43,12 @@ module Redmine
"<pre>" + CGI.escapeHTML(code) + "</pre>" "<pre>" + CGI.escapeHTML(code) + "</pre>"
end end
end end
def image(link, title, alt_text)
return unless uri_with_safe_scheme?(link)
tag('img', :src => link, :alt => alt_text || "", :title => title)
end
end end
class Formatter class Formatter