]> source.dussan.org Git - redmine.git/commitdiff
projects / redmine.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3caa932)
Merge r21894 from trunk to 4.2-stable (#37751).
authorMarius Balteanu <marius.balteanu@zitec.com>
Tue, 4 Oct 2022 19:01:37 +0000 (19:01 +0000)
committerMarius Balteanu <marius.balteanu@zitec.com>
Tue, 4 Oct 2022 19:01:37 +0000 (19:01 +0000)
git-svn-id: https://svn.redmine.org/redmine/branches/4.2-stable@21896 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine/wiki_formatting/textile/redcloth3.rb patch | blob | history
test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb patch | blob | history

diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index 2816e1c90d9942742f91a988e6cdd8e4a5f8255b..34774310557b833cde0fe202dad6f81659770a3e 100644 (file)
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -690,7 +690,7 @@ class RedCloth3 < String
 
     def textile_bq( tag, atts, cite, content )
         cite, cite_title = check_refs( cite )
-        cite = " cite=\"#{cite}\"" if cite
+        cite = " cite=\"#{htmlesc cite.dup}\"" if cite
         atts = shelve( atts ) if atts
         "\t<blockquote#{cite}>\n\t\t<p#{atts}>#{content}</p>\n\t</blockquote>"
     end
diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 5ee4defe16168e6c3eda74c48fb2c6afd1d2a9c0..28a3d92aba216197a7884b2361d026abfd4d1749 100644 (file)
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -703,6 +703,13 @@ class Redmine::WikiFormatting::TextileFormatterTest < ActionView::TestCase
     assert_equal expected.gsub(%r{[\r\n\t]}, ''), to_html(text).gsub(%r{[\r\n\t]}, '')
   end
 
+  def test_should_escape_bq_citations
+    assert_html_output({
+      %{bq.:http://x/"onmouseover="alert(document.domain) Hover me} =>
+        %{<blockquote cite="http://x/&quot;onmouseover=&quot;alert(document.domain)">\n\t\t<p>Hover me</p>\n\t</blockquote>}
+    }, false)
+  end
+
   private
 
   def assert_html_output(to_test, expect_paragraph = true)
Mirror of redmine code source: https://github.com/redmine/redmine