Merged r19333 from trunk to 3.3-stable (#25742)

Filter all possibly class values on code tags in Textile.

Contributed by Holger Just from Planio.

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@19337 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb
index 4d4e4b24009ea7f67140e2bbdaafb1a71a70e56f..2555479d48efd36f7b5326ba250fe50e3ffb5bb2 100644 (file)
--- a/lib/redmine/wiki_formatting/textile/formatter.rb
+++ b/lib/redmine/wiki_formatting/textile/formatter.rb
@@ -120,9 +120,10 @@ module Redmine
             ## replace <pre> content
             text.gsub!(/<redpre#(\d+)>/) do
               content = @pre_list[$1.to_i]
-              if content.match(/<code\s+class=["'](\w+)["']>\s?(.+)/m)
-                language = $1
-                text = $2
+              # This regex must match any data produced by RedCloth3#rip_offtags
+              if content.match(/<code\s+class=(?:"([^"]+)"|'([^']+)')>\s?(.*)/m)
+                language = $1 || $2
+                text = $3
                 if Redmine::SyntaxHighlighting.language_supported?(language)
                   content = "<code class=\"#{language} syntaxhl\">" +
                     Redmine::SyntaxHighlighting.highlight_by_language(text, language)

diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 8920a6ae96a287c86582e6afae20730184c32afb..59273d4093fdbf495431db1a6b723b33d0473fad 100644 (file)
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -536,9 +536,17 @@ STR
   def test_should_not_allow_arbitrary_class_attribute_on_offtags
     %w(code pre kbd).each do |tag|
       assert_html_output({"<#{tag} class=\"foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class='foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class=\"ruby foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class='ruby foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class=\"ruby \"foo\" bar\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
     end
 
     assert_html_output({"<notextile class=\"foo\">test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class='foo'>test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class=\"ruby foo\">test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class='ruby foo'>test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class=\"ruby \"foo\" bar\">test</notextile>" => "test"}, false)
   end
 
   def test_should_allow_valid_language_class_attribute_on_code_tags