Commit 27b71e80 authored by Sean McGivern's avatar Sean McGivern

Merge branch 'dm-escape-commit-message' into 'master'

Escape HTML entities in commit messages

Closes #42833

See merge request gitlab-org/gitlab-ce!17144
parents 06004734 e090366f
---
title: Escape HTML entities in commit messages
merge_request:
author:
type: fixed
...@@ -5,7 +5,7 @@ module Banzai ...@@ -5,7 +5,7 @@ module Banzai
# Text filter that escapes these HTML entities: & " < > # Text filter that escapes these HTML entities: & " < >
class HtmlEntityFilter < HTML::Pipeline::TextFilter class HtmlEntityFilter < HTML::Pipeline::TextFilter
def call def call
ERB::Util.html_escape_once(text) ERB::Util.html_escape(text)
end end
end end
end end
......
...@@ -20,5 +20,9 @@ describe EventsHelper do ...@@ -20,5 +20,9 @@ describe EventsHelper do
it 'handles nil values' do it 'handles nil values' do
expect(helper.event_commit_title(nil)).to eq('') expect(helper.event_commit_title(nil)).to eq('')
end end
it 'does not escape HTML entities' do
expect(helper.event_commit_title("foo & bar")).to eq("foo & bar")
end
end end
end end
...@@ -3,17 +3,12 @@ require 'spec_helper' ...@@ -3,17 +3,12 @@ require 'spec_helper'
describe Banzai::Filter::HtmlEntityFilter do describe Banzai::Filter::HtmlEntityFilter do
include FilterSpecHelper include FilterSpecHelper
let(:unescaped) { 'foo <strike attr="foo">&&&</strike>' } let(:unescaped) { 'foo <strike attr="foo">&&amp;&</strike>' }
let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;&amp;&lt;/strike&gt;' } let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;amp;&amp;&lt;/strike&gt;' }
it 'converts common entities to their HTML-escaped equivalents' do it 'converts common entities to their HTML-escaped equivalents' do
output = filter(unescaped) output = filter(unescaped)
expect(output).to eq(escaped) expect(output).to eq(escaped)
end end
it 'does not double-escape' do
escaped = ERB::Util.html_escape("Merge branch 'blabla' into 'master'")
expect(filter(escaped)).to eq(escaped)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment