Redmine

      include ActionView::Helpers::OutputSafetyHelper

              deleted << change[2]

            # deleted is not safe html at this point

            words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe

        safe_join(words, ' ')

  def test_dont_double_escape

    # 3 cases to test in the before: first word, last word, everything inbetween

    before = "<stuff> with html & special chars</danger>"

    # all words in after are treated equal

    after  = "other stuff <script>alert('foo');</alert>"

    computed_diff = Redmine::Helpers::Diff.new(before, after).to_html

    expected_diff = '<span class="diff_in">&lt;stuff&gt; with html &amp; special chars&lt;/danger&gt;</span> <span class="diff_out">other stuff &lt;script&gt;alert(&#39;foo&#39;);&lt;/alert&gt;</span>'

    assert_equal computed_diff, expected_diff

  end

/config/settings.yml

config/settings.yml

# Redmine - project management software

# Copyright (C) 2006-2016  Jean-Philippe Lang

#

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

# DO NOT MODIFY THIS FILE !!!

# Settings can be defined through the application in Admin -> Settings

app_title:

  default: Redmine

app_subtitle:

  default: Project management

welcome_text:

  default:

login_required:

  default: 0

  security_notifications: 1

self_registration:

  default: '2'

  security_notifications: 1

lost_password:

  default: 1

  security_notifications: 1

unsubscribe:

  default: 1

password_min_length:

  format: int

  default: 8

  security_notifications: 1

# Maximum password age in days

password_max_age:

  format: int

  default: 0

  security_notifications: 1

# Maximum number of additional email addresses per user

max_additional_emails:

  format: int

  default: 5

# Maximum lifetime of user sessions in minutes

session_lifetime:

  format: int

  default: 0

  security_notifications: 1

# User session timeout in minutes

session_timeout:

  format: int

  default: 0

  security_notifications: 1

attachment_max_size:

  format: int

  default: 5120

attachment_extensions_allowed:

  default:

attachment_extensions_denied:

  default:

issues_export_limit:

  format: int

  default: 500

activity_days_default:

  format: int

  default: 30

per_page_options:

  default: '25,50,100'

search_results_per_page:

  default: 10

mail_from:

  default: redmine@example.net

bcc_recipients:

  default: 1

plain_text_mail:

  default: 0

text_formatting:

  default: textile

cache_formatted_text:

  default: 0

wiki_compression:

  default: ""

default_language:

  default: en

force_default_language_for_anonymous:

  default: 0

force_default_language_for_loggedin:

  default: 0

host_name:

  default: localhost:3000

protocol:

  default: http

  security_notifications: 1

feeds_limit:

  format: int

  default: 15

gantt_items_limit:

  format: int

  default: 500

# Maximum size of files that can be displayed

# inline through the file viewer (in KB)

file_max_size_displayed:

  format: int

  default: 512

diff_max_lines_displayed:

  format: int

  default: 1500

enabled_scm:

  serialized: true

  default:

  - Subversion

  - Darcs

  - Mercurial

  - Cvs

  - Bazaar

  - Git

  security_notifications: 1

autofetch_changesets:

  default: 1

sys_api_enabled:

  default: 0

  security_notifications: 1

sys_api_key:

  default: ''

  security_notifications: 1

commit_cross_project_ref:

  default: 0

commit_ref_keywords:

  default: 'refs,references,IssueID'

commit_update_keywords:

  serialized: true

  default: []

commit_logtime_enabled:

  default: 0

commit_logtime_activity_id:

  format: int

  default: 0

# autologin duration in days

# 0 means autologin is disabled

autologin:

  format: int

  default: 0

# date format

date_format:

  default: ''

time_format:

  default: ''

user_format:

  default: :firstname_lastname

  format: symbol

cross_project_issue_relations:

  default: 0

# Enables subtasks to be in other projects

cross_project_subtasks:

  default: 'tree'

parent_issue_dates:

  default: 'derived'

parent_issue_priority:

  default: 'derived'

parent_issue_done_ratio:

  default: 'derived'

link_copied_issue:

  default: 'ask'

issue_group_assignment:

  default: 0

default_issue_start_date_to_creation_date:

  default: 1

notified_events:

  serialized: true

  default:

  - issue_added

  - issue_updated

mail_handler_body_delimiters:

  default: ''

mail_handler_excluded_filenames:

  default: ''

mail_handler_api_enabled:

  default: 0

  security_notifications: 1

mail_handler_api_key:

  default:

  security_notifications: 1

issue_list_default_columns:

  serialized: true

  default:

  - tracker

  - status

  - priority

  - subject

  - assigned_to

  - updated_on

issue_list_default_totals:

  serialized: true

  default: []

display_subprojects_issues:

  default: 1

issue_done_ratio:

  default: 'issue_field'

default_projects_public:

  default: 1

default_projects_modules:

  serialized: true

  default:

  - issue_tracking

  - time_tracking

  - news

  - documents

  - files

  - wiki

  - repository

  - boards

  - calendar

  - gantt

default_projects_tracker_ids:

  serialized: true

  default:

# Role given to a non-admin user who creates a project

new_project_user_role_id:

  format: int

  default: ''

sequential_project_identifiers:

  default: 0

# encodings used to convert repository files content to UTF-8

# multiple values accepted, comma separated

default_users_hide_mail:

  default: 1

repositories_encodings:

  default: ''

# encoding used to convert commit logs to UTF-8

commit_logs_encoding:

  default: 'UTF-8'

repository_log_display_limit:

  format: int

  default: 100

ui_theme:

  default: ''

emails_footer:

  default: |-

    You have received this notification because you have either subscribed to it, or are involved in it.

    To change your notification preferences, please click here: http://hostname/my/account

gravatar_enabled:

  default: 0

openid:

  default: 0

  security_notifications: 1

gravatar_default:

  default: ''

start_of_week:

  default: ''

rest_api_enabled:

  default: 0

  security_notifications: 1

jsonp_enabled:

  default: 0

  security_notifications: 1

default_notification_option:

  default: 'only_my_events'

emails_header:

  default: ''

thumbnails_enabled:

  default: 0

thumbnails_size:

  format: int

  default: 100

non_working_week_days:

  serialized: true

  default:

  - '6'

  - '7'