Project

General

Profile

Download (2.35 KB)

Defect #22115 » 22115-dont_double_escape_deleted_diff_parts.diff

Felix Schäfer, 2016-02-25 21:31

View differences:

lib/redmine/helpers/diff.rb
23 23 
      include ERB::Util
24 24 
      include ActionView::Helpers::TagHelper
25 25 
      include ActionView::Helpers::TextHelper
26 
      include ActionView::Helpers::OutputSafetyHelper
26 27 
      attr_reader :diff, :words
27 28 

  		




  28
  29
  
    
      def initialize(content_to, content_from)

  		




  ......




  53
  54
  
    
            else

  		




  54
  55
  
    
              del_at = pos unless del_at

  		




  55
  56
  
    
              deleted << ' ' unless deleted.empty?

  		




  56
  
  
    
              deleted << h(change[2])

  		




  
  57
  
    
              deleted << change[2]

  		




  57
  58
  
    
              words_del  += 1

  		




  58
  59
  
    
            end

  		




  59
  60
  
    
          end

  		




  ......




  62
  63
  
    
            words[add_to] = words[add_to] + '</span>'.html_safe

  		




  63
  64
  
    
          end

  		




  64
  65
  
    
          if del_at

  		




  65
  
  
    
            words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe

  		




  
  66
  
    
            # deleted is not safe html at this point

  		




  
  67
  
    
            words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe

  		




  66
  68
  
    
            dels += 1

  		




  67
  69
  
    
            del_off += words_del

  		




  68
  70
  
    
            words_del = 0

  		




  69
  71
  
    
          end

  		




  70
  72
  
    
        end

  		




  71
  
  
    
        words.join(' ').html_safe

  		




  
  73
  
    
        safe_join(words, ' ')

  		




  72
  74
  
    
      end

  		




  73
  75
  
    
    end

  		




  74
  76
  
    
  end

  		












  

    
      test/unit/lib/redmine/helpers/diff_test.rb
    
  





  22
  22
  
    
    diff = Redmine::Helpers::Diff.new("foo", "bar")


  		




  23
  23
  
    
    assert_not_nil diff


  		




  24
  24
  
    
  end


  		




  
  25
  
    

  		




  
  26
  
    
  def test_dont_double_escape


  		




  
  27
  
    
    # 3 cases to test in the before: first word, last word, everything inbetween


  		




  
  28
  
    
    before = "<stuff> with html & special chars</danger>"


  		




  
  29
  
    
    # all words in after are treated equal


  		




  
  30
  
    
    after  = "other stuff <script>alert('foo');</alert>"


  		




  
  31
  
    

  		




  
  32
  
    
    computed_diff = Redmine::Helpers::Diff.new(before, after).to_html


  		




  
  33
  
    
    expected_diff = '<span class="diff_in">&lt;stuff&gt; with html &amp; special chars&lt;/danger&gt;</span> <span class="diff_out">other stuff &lt;script&gt;alert(&#39;foo&#39;);&lt;/alert&gt;</span>'


  		




  
  34
  
    

  		




  
  35
  
    
    assert_equal computed_diff, expected_diff


  		




  
  36
  
    
  end


  		




  25
  37
  
    
end


  		















  (2-2/2)