diff --git a/lib/redmine/helpers/diff.rb b/lib/redmine/helpers/diff.rb
index 785ff38..ca06d7e 100644
--- a/lib/redmine/helpers/diff.rb
+++ b/lib/redmine/helpers/diff.rb
@@ -23,6 +23,7 @@ module Redmine
include ERB::Util
include ActionView::Helpers::TagHelper
include ActionView::Helpers::TextHelper
+ include ActionView::Helpers::OutputSafetyHelper
attr_reader :diff, :words
def initialize(content_to, content_from)
@@ -53,7 +54,7 @@ module Redmine
else
del_at = pos unless del_at
deleted << ' ' unless deleted.empty?
- deleted << h(change[2])
+ deleted << change[2]
words_del += 1
end
end
@@ -62,13 +63,14 @@ module Redmine
words[add_to] = words[add_to] + ''.html_safe
end
if del_at
- words.insert del_at - del_off + dels + words_add, ''.html_safe + deleted + ''.html_safe
+ # deleted is not safe html at this point
+ words.insert del_at - del_off + dels + words_add, ''.html_safe + h(deleted) + ''.html_safe
dels += 1
del_off += words_del
words_del = 0
end
end
- words.join(' ').html_safe
+ safe_join(words, ' ')
end
end
end
diff --git a/test/unit/lib/redmine/helpers/diff_test.rb b/test/unit/lib/redmine/helpers/diff_test.rb
index a5f7afe..e2006d7 100644
--- a/test/unit/lib/redmine/helpers/diff_test.rb
+++ b/test/unit/lib/redmine/helpers/diff_test.rb
@@ -22,4 +22,16 @@ class DiffTest < ActiveSupport::TestCase
diff = Redmine::Helpers::Diff.new("foo", "bar")
assert_not_nil diff
end
+
+ def test_dont_double_escape
+ # 3 cases to test in the before: first word, last word, everything inbetween
+ before = " with html & special chars"
+ # all words in after are treated equal
+ after = "other stuff