Commit a8452529 authored by Arinde Eniola's avatar Arinde Eniola

get the multi filter labels feature to work on merge request, also escape...

get the multi filter labels feature to work on merge request, also escape characters in the templates to prevent xss attack
parent bea34843
...@@ -58,6 +58,7 @@ class Dispatcher ...@@ -58,6 +58,7 @@ class Dispatcher
when 'projects:merge_requests:index' when 'projects:merge_requests:index'
shortcut_handler = new ShortcutsNavigation() shortcut_handler = new ShortcutsNavigation()
MergeRequests.init() MergeRequests.init()
Issues.init()
when 'dashboard:activity' when 'dashboard:activity'
new Activities() new Activities()
when 'dashboard:projects:starred' when 'dashboard:projects:starred'
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
Issue.labelRow = _.template( Issue.labelRow = _.template(
'<% _.each(labels, function(label){ %> '<% _.each(labels, function(label){ %>
<span class="label-row"> <span class="label-row">
<a href="#"><span class="label color-label has-tooltip" style="background-color: <%= label.color %>; color: #FFFFFF" title="<%= label.description %>" data-container="body"><%= label.title %></span></a> <a href="#"><span class="label color-label has-tooltip" style="background-color: <%= label.color %>; color: #FFFFFF" title="<%= _.escape(label.description) %>" data-container="body"><%= _.escape(label.title) %></span></a>
</span> </span>
<% }); %>' <% }); %>'
) )
......
...@@ -3,7 +3,6 @@ ...@@ -3,7 +3,6 @@
# #
@MergeRequests = @MergeRequests =
init: -> init: ->
$('.filtered-labels').hide()
MergeRequests.initSearch() MergeRequests.initSearch()
# Make sure we trigger ajax request only after user stop typing # Make sure we trigger ajax request only after user stop typing
......
...@@ -38,13 +38,14 @@ class Projects::MergeRequestsController < Projects::ApplicationController ...@@ -38,13 +38,14 @@ class Projects::MergeRequestsController < Projects::ApplicationController
@merge_requests = @merge_requests.page(params[:page]) @merge_requests = @merge_requests.page(params[:page])
@merge_requests = @merge_requests.preload(:target_project) @merge_requests = @merge_requests.preload(:target_project)
@label = @project.labels.find_by(title: params[:label_name]) @labels = @project.labels.where(title: params[:label_name])
respond_to do |format| respond_to do |format|
format.html format.html
format.json do format.json do
render json: { render json: {
html: view_to_html_string("projects/merge_requests/_merge_requests") html: view_to_html_string("projects/merge_requests/_merge_requests"),
labels: @labels
} }
end end
end end
......
...@@ -46,7 +46,7 @@ ...@@ -46,7 +46,7 @@
.filter-item.inline .filter-item.inline
= button_tag "Update issues", class: "btn update_selected_issues btn-save" = button_tag "Update issues", class: "btn update_selected_issues btn-save"
.gray-content-block.second-block.filtered-labels{ class: ("hidden" if !@labels) } .gray-content-block.second-block.filtered-labels
- if @labels - if @labels
= render "shared/labels_row", labels: @labels = render "shared/labels_row", labels: @labels
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment