Commit 5dfddb5f authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Fix HTML escaping in StringRangeMarker

Rails now handles html_safe when using string ranges
to replace text.

We need to mark the replacement text as HTML-safe so that it
doesn't get escaped when it gets inserted into the HTML-safe
string.

Example:

string = "<p>Hello</p>".html_safe
string[3..4] = "<b>He</b>"

"<p>&lt;b&gt;He&lt;/b&gt;llo</p>"

Correct way:

string = "<p>Hello</p>".html_safe
string[3..4] = "<b>He</b>".html_safe

"<p><b>He</b>llo</p>"
parent b98072f4
......@@ -121,7 +121,7 @@ module Banzai
def autolink_filter(text)
Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_PATTERN) do |link, left:, right:|
autolink_match(link)
autolink_match(link).html_safe
end
end
......
......@@ -77,7 +77,7 @@ module Banzai
def spaced_link_filter(text)
Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_OR_IMAGE_PATTERN) do |link, left:, right:|
spaced_link_match(link)
spaced_link_match(link).html_safe
end
end
......
......@@ -62,7 +62,7 @@ module Gitlab
end
def link_tag(name, url)
%{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}
%{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
end
# Links package names based on regex.
......
......@@ -9,7 +9,7 @@ module Gitlab
def mark(line_inline_diffs, mode: nil)
super(line_inline_diffs) do |text, left:, right:|
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}.html_safe
end
end
......
......@@ -9,7 +9,7 @@ describe Gitlab::StringRangeMarker do
inline_diffs = [2..5]
described_class.new(raw, rich).mark(inline_diffs) do |text, left:, right:|
"LEFT#{text}RIGHT"
"LEFT#{text}RIGHT".html_safe
end
end
......
......@@ -10,7 +10,7 @@ describe Gitlab::StringRegexMarker do
subject do
described_class.new(raw, rich).mark(/"[^"]+":\s*"(?<name>[^"]+)"/, group: :name) do |text, left:, right:|
%{<a href="#">#{text}</a>}
%{<a href="#">#{text}</a>}.html_safe
end
end
......@@ -26,7 +26,7 @@ describe Gitlab::StringRegexMarker do
subject do
described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:|
%{<strong>#{text}</strong>}
%{<strong>#{text}</strong>}.html_safe
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment