Escape blockquote citation in textile formatting (#37751).

Patch by Jens Krämer.

git-svn-id: https://svn.redmine.org/redmine/trunk@21894 e93f8b46-1217-0410-a6f0-8f06a7374b81

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index dbb919ff178fa0dda6193d007bc212bb1618e4c0..b935db6b9f2924e08caab541e70c04af0f7d6d7a 100644 (file)
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -691,7 +691,7 @@ class RedCloth3 < String
 
     def textile_bq( tag, atts, cite, content )
         cite, cite_title = check_refs( cite )
-        cite = " cite=\"#{cite}\"" if cite
+        cite = " cite=\"#{htmlesc cite.dup}\"" if cite
         atts = shelve( atts ) if atts
         "\t<blockquote#{cite}>\n\t\t<p#{atts}>#{content}</p>\n\t</blockquote>"
     end

diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 30013b8370d36b2728fa2c0a2f055fe9b5c71644..23f6d7538c0f964ca15d9cc699d0c13335cdbee4 100644 (file)
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -751,6 +751,13 @@ class Redmine::WikiFormatting::TextileFormatterTest < ActionView::TestCase
     assert_equal expected.gsub(%r{[\r\n\t]}, ''), to_html(text).gsub(%r{[\r\n\t]}, '')
   end
 
+  def test_should_escape_bq_citations
+    assert_html_output({
+      %{bq.:http://x/"onmouseover="alert(document.domain) Hover me} =>
+        %{<blockquote cite="http://x/&quot;onmouseover=&quot;alert(document.domain)">\n\t\t<p>Hover me</p>\n\t</blockquote>}
+    }, false)
+  end
+
   private
 
   def assert_html_output(to_test, expect_paragraph = true)