Patch by Jens Krämer.
git-svn-id: https://svn.redmine.org/redmine/trunk@21894
e93f8b46-1217-0410-a6f0-
8f06a7374b81
def textile_bq( tag, atts, cite, content )
cite, cite_title = check_refs( cite )
- cite = " cite=\"#{cite}\"" if cite
+ cite = " cite=\"#{htmlesc cite.dup}\"" if cite
atts = shelve( atts ) if atts
"\t<blockquote#{cite}>\n\t\t<p#{atts}>#{content}</p>\n\t</blockquote>"
end
assert_equal expected.gsub(%r{[\r\n\t]}, ''), to_html(text).gsub(%r{[\r\n\t]}, '')
end
+ def test_should_escape_bq_citations
+ assert_html_output({
+ %{bq.:http://x/"onmouseover="alert(document.domain) Hover me} =>
+ %{<blockquote cite="http://x/"onmouseover="alert(document.domain)">\n\t\t<p>Hover me</p>\n\t</blockquote>}
+ }, false)
+ end
+
private
def assert_html_output(to_test, expect_paragraph = true)