Project

General

Profile

Actions
Copy link

Defect #41721

closed

Principal link text with special characters not displayed correctly after r23222

Added by Katsuya HIDAKA 14 days ago. Updated 13 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
UI
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Expected behavior:

Actual behavior:

This problem appears to be caused by the link_to_principal helper displaying principal names with double escaping after commit r23222.

Files

Download all files
expected.png (26.3 KB) expected.png Katsuya HIDAKA, 2024-11-09 15:32
actual.png (28.1 KB) actual.png Katsuya HIDAKA, 2024-11-09 15:32
0001-Fixed-double-escaping-issue-for-a-principal-name-with-special-chars.patch (1.73 KB) 0001-Fixed-double-escaping-issue-for-a-principal-name-with-special-chars.patch Katsuya HIDAKA, 2024-11-09 16:18
0002-Fixed-broken-link_to_principal-helper-test.patch (1020 Bytes) 0002-Fixed-broken-link_to_principal-helper-test.patch Katsuya HIDAKA, 2024-11-09 16:18
Actions
Copy link
 #1

Updated by Katsuya HIDAKA 14 days ago

I have attached a patch to fix this problem.

link_to_principal displaying principal names with double escaping after commit r23222.

The causes of the above are:

From: /redmine/app/helpers/application_helper.rb @ line 80 :

    75:     else
    76:       name = h(principal.to_s)
    77:     end
    78:
    79:     css_classes += " #{options[:class]}" if css_classes && options[:class].present?
 => 80:     binding.irb
    81:     url ? link_to(principal_icon(principal.class.name.downcase).to_s + name, url, :class => css_classes) : name
    82:   end
    83:
    84:   # Displays a link to edit group page if current user is admin
    85:   # Otherwise display only the group name

irb:001> name.html_safe?
=> true
irb:002> name
=> "firstname<>' lastname&"" 
irb:003> (principal_icon(principal.class.name.downcase).to_s + name).html_safe?
=> false
irb:004> h(principal_icon(principal.class.name.downcase).to_s + name)
=> "firstname<>' lastname&""

The name variable was marked as safe HTML on line 80, but it is now marked as unsafe HTML by addition of link_to(principal_icon(principal.class.name.downcase).to_s on line 81. As a result, the link_to method again escapes the name variable as unsafe HTML.

I have fixed this by removing all escaping of the text passed to the link_to method in the link_to_principal. The link_to method escapes text by default.
https://github.com/rails/rails/blob/852d0cd4123463cf215f4b024801b256857295c4/actionview/lib/action_view/helpers/tag_helper.rb#L243
https://github.com/rails/rails/blob/852d0cd4123463cf215f4b024801b256857295c4/actionview/lib/action_view/helpers/tag_helper.rb#L523
https://github.com/rails/rails/blob/dd8f7185faeca6ee968a6e9367f6d8601a83b8db/actionview/lib/action_view/helpers/url_helper.rb#L207

redmine-app(dev)> helper.link_to("firstname<>'", 'url')
=> "<a href=\"url\">firstname&lt;&gt;&#39;</a>"

The following test was failing after r23222, but it passes after applying the patch.
https://github.com/redmine/redmine/blob/8438deb8a68fdfaf260b8c8d68d5aad2afa70fa6/test/helpers/application_helper_test.rb#L1881

The second patch fixes the broken link_to_principal helper test due to r23222.

Actions
Copy link
 #2

Updated by Marius BĂLTEANU 13 days ago

  • Status changed from New to Closed
  • Assignee set to Marius BĂLTEANU

First patch committed, thanks for reporting this.

For the second one, I've preferred a different assertion, please take a look at r23227.

Actions
Copy link
 #3

Updated by Katsuya HIDAKA 13 days ago

Thank you for reviewing and merging the patch.

For the second one, I've preferred a different assertion, please take a look at r23227.

It looks good to me!

Actions
Copy link

Also available in: Atom PDF