Project

General

Profile

Download (2.18 KB)

Defect #33846 » sanitize_html_v4.patch

Go MAEDA, 2021-03-15 16:52

View differences:

public/javascripts/application.js
1 1 
/* Redmine - project management software
2 2 
   Copyright (C) 2006-2020  Jean-Philippe Lang */
3 3 

  		




  
  4
  
    
function sanitizeHTML(string) {

  		




  
  5
  
    
  var temp = document.createElement('span');

  		




  
  6
  
    
  temp.textContent = string;

  		




  
  7
  
    
  return temp.innerHTML;

  		




  
  8
  
    
}

  		




  
  9
  
    

  		




  4
  10
  
    
function checkAll(id, checked) {

  		




  5
  11
  
    
  $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked);

  		




  6
  12
  
    
}

  		




  ......




  1130
  1136
  
    
          selectTemplate: function (issue) {

  		




  1131
  1137
  
    
            return '#' + issue.original.id;

  		




  1132
  1138
  
    
          },

  		




  
  1139
  
    
          menuItemTemplate: function (issue) {

  		




  
  1140
  
    
            return sanitizeHTML(issue.original.label);

  		




  
  1141
  
    
          },

  		




  1133
  1142
  
    
          noMatchTemplate: function () {

  		




  1134
  1143
  
    
            return '<span style:"visibility: hidden;"></span>';

  		




  1135
  1144
  
    
          }

  		




  ......




  1147
  1156
  
    
          selectTemplate: function (wikiPage) {

  		




  1148
  1157
  
    
            return '[[' + wikiPage.original.value + ']]';

  		




  1149
  1158
  
    
          },

  		




  
  1159
  
    
          menuItemTemplate: function (wikiPage) {

  		




  
  1160
  
    
            return sanitizeHTML(wikiPage.original.label);

  		




  
  1161
  
    
          },

  		




  1150
  1162
  
    
          noMatchTemplate: function () {

  		




  1151
  1163
  
    
            return '<span style:"visibility: hidden;"></span>';

  		




  1152
  1164
  
    
          }

  		












  

    
      test/system/inline_autocomplete_test.rb
    
  





  151
  151
  
    
    end

  		




  152
  152
  
    
    assert_equal '[[Page_with_sections]] ', find('#issue_description').value

  		




  153
  153
  
    
  end

  		




  
  154
  
    

  		




  
  155
  
    
  def test_inline_autocomplete_for_issues_should_escape_html_elements

  		




  
  156
  
    
    issue = Issue.generate!(subject: 'This issue has a <select> element', project_id: 1, tracker_id: 1)

  		




  
  157
  
    

  		




  
  158
  
    
    log_user('jsmith', 'jsmith')

  		




  
  159
  
    
    visit 'projects/1/issues/new'

  		




  
  160
  
    

  		




  
  161
  
    
    fill_in 'Description', :with => '#This'

  		




  
  162
  
    

  		




  
  163
  
    
    within('.tribute-container') do

  		




  
  164
  
    
      assert page.has_text? "Bug ##{issue.id}: This issue has a <select> element"

  		




  
  165
  
    
    end

  		




  
  166
  
    
  end

  		




  154
  167
  
    
end

  		















  (8-8/8)