Escape blockquote citation in textile formatting (#37751).

Patch by Jens Krämer.


git-svn-id: https://svn.redmine.org/redmine/trunk@21894 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine/wiki_formatting/textile/redcloth3.rb

@@ -691,7 +691,7 @@ class RedCloth3 < String
 
     def textile_bq( tag, atts, cite, content )
         cite, cite_title = check_refs( cite )
-        cite = " cite=\"#{cite}\"" if cite
+        cite = " cite=\"#{htmlesc cite.dup}\"" if cite
         atts = shelve( atts ) if atts
         "\t<blockquote#{cite}>\n\t\t<p#{atts}>#{content}</p>\n\t</blockquote>"
     end

test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb

@@ -751,6 +751,13 @@ class Redmine::WikiFormatting::TextileFormatterTest < ActionView::TestCase
     assert_equal expected.gsub(%r{[\r\n\t]}, ''), to_html(text).gsub(%r{[\r\n\t]}, '')
   end
 
+  def test_should_escape_bq_citations
+    assert_html_output({
+      %{bq.:http://x/"onmouseover="alert(document.domain) Hover me} =>
+        %{<blockquote cite="http://x/&quot;onmouseover=&quot;alert(document.domain)">\n\t\t<p>Hover me</p>\n\t</blockquote>}
+    }, false)
+  end
+
   private
 
   def assert_html_output(to_test, expect_paragraph = true)