Project

General

Profile

Actions
Copy link

Defect #30758

closed

Preview URL in Wiki Toolbar should be escaped

Added by Vincent Robert about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Go MAEDA
Category:
Wiki
Target version:
4.0.2
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:
4.0.1

Description

Since Redmine 4.0.0 and the addition of the preview tab, the wiki toolbar is not displayed if the preview url contains single quotes. The url is not escaped and we can see an error in our browser console.
We should escape the preview url:

diff --git a/lib/redmine/wiki_formatting/markdown/helper.rb b/lib/redmine/wiki_formatting/markdown/helper.rb
index fac2f8bf3..fb9f1a939 100644
--- a/lib/redmine/wiki_formatting/markdown/helper.rb
+++ b/lib/redmine/wiki_formatting/markdown/helper.rb
@@ -22,7 +22,7 @@ module Redmine
         def wikitoolbar_for(field_id, preview_url = preview_text_path)
           heads_for_wiki_formatter
           url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_markdown.html" 
-          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
         end

         def initial_page_content(page)
diff --git a/lib/redmine/wiki_formatting/textile/helper.rb b/lib/redmine/wiki_formatting/textile/helper.rb
index 6e8ba9812..e536a29dc 100644
--- a/lib/redmine/wiki_formatting/textile/helper.rb
+++ b/lib/redmine/wiki_formatting/textile/helper.rb
@@ -23,7 +23,7 @@ module Redmine
           heads_for_wiki_formatter
           # Is there a simple way to link to a public resource?
           url = "#{Redmine::Utils.relative_url_root}/help/#{current_language.to_s.downcase}/wiki_syntax_textile.html" 
-          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{preview_url}'); wikiToolbar.draw();")
+          javascript_tag("var wikiToolbar = new jsToolBar(document.getElementById('#{field_id}')); wikiToolbar.setHelpLink('#{escape_javascript url}'); wikiToolbar.setPreviewUrl('#{escape_javascript preview_url}'); wikiToolbar.draw();")
         end

         def initial_page_content(page)

Files

Download all files
escape_preview_url.diff (1.99 KB) escape_preview_url.diff Vincent Robert, 2019-02-06 19:10
screenshot.png (207 KB) screenshot.png Vincent Robert, 2019-02-07 08:18

Related issues

Related to Redmine - Feature #27758: Adds preview option to the wiki toolbarClosedJean-Philippe Lang

Actions
Actions
Copy link

Also available in: Atom PDF