Escape HTML entities in commit messages

bed60b8c · Douwe Maan · 2b331369 · bed60b8c · bed60b8c · bed60b8c
Commit bed60b8c authored Feb 15, 2018 by Douwe Maan
4 changed files
--- a/changelogs/unreleased/dm-escape-commit-message.yml
+++ b/changelogs/unreleased/dm-escape-commit-message.yml
+---
+title: Escape HTML entities in commit messages
+merge_request:
+author:
+type: fixed
--- a/lib/banzai/filter/html_entity_filter.rb
+++ b/lib/banzai/filter/html_entity_filter.rb
@@ -5,7 +5,7 @@ module Banzai
    # Text filter that escapes these HTML entities: & " < >
    class HtmlEntityFilter < HTML::Pipeline::TextFilter
      def call
-        ERB::Util.html_escape_once(text)
+        ERB::Util.html_escape(text)
      end
    end
  end

--- a/spec/helpers/events_helper_spec.rb
+++ b/spec/helpers/events_helper_spec.rb
@@ -20,5 +20,9 @@ describe EventsHelper do
    it 'handles nil values' do
      expect(helper.event_commit_title(nil)).to eq('')
    end
+    it 'does not escape HTML entities' do
+      expect(helper.event_commit_title("foo & bar")).to eq("foo & bar")
+    end
  end
 end
--- a/spec/lib/banzai/filter/html_entity_filter_spec.rb
+++ b/spec/lib/banzai/filter/html_entity_filter_spec.rb
@@ -3,17 +3,12 @@ require 'spec_helper'
 describe Banzai::Filter::HtmlEntityFilter do
  include FilterSpecHelper
-  let(:unescaped) { 'foo <strike attr="foo">&&&</strike>' }
+  let(:unescaped) { 'foo <strike attr="foo">&&amp;</strike>' }
-  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;&amp;&lt;/strike&gt;' }
+  let(:escaped) { 'foo &lt;strike attr=&quot;foo&quot;&gt;&amp;&amp;amp;&amp;&lt;/strike&gt;' }
  it 'converts common entities to their HTML-escaped equivalents' do
    output = filter(unescaped)
    expect(output).to eq(escaped)
  end
-  it 'does not double-escape' do
-    escaped = ERB::Util.html_escape("Merge branch 'blabla' into 'master'")
-    expect(filter(escaped)).to eq(escaped)
-  end
 end