include Redmine::SudoMode::Helper
include Redmine::Themes::Helper
include Redmine::Hook::Helper
+ include Redmine::Helpers::URL
extend Forwardable
def_delegators :wiki_helper, :wikitoolbar_for, :heads_for_wiki_formatter
args.include?(field_format)
end
+ def self.human_attribute_name(attribute_key_name, *args)
+ attr_name = attribute_key_name.to_s
+ if attr_name == 'url_pattern'
+ attr_name = "url"
+ end
+ super(attr_name, *args)
+ end
+
protected
# Removes multiple values for the custom field after setting the multiple attribute to false
<% if @project.homepage.present? || @subprojects.any? || @project.visible_custom_field_values.any?(&:present?) %>
<ul>
<% unless @project.homepage.blank? %>
- <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to @project.homepage, @project.homepage %></li>
+ <li><span class="label"><%=l(:field_homepage)%>:</span> <%= link_to_if uri_with_safe_scheme?(@project.homepage), @project.homepage, @project.homepage %></li>
<% end %>
<% if @subprojects.any? %>
<li><span class="label"><%=l(:label_subproject_plural)%>:</span>
# class RedCloth::Textile.new( str )
class RedCloth3 < String
+ include Redmine::Helpers::URL
VERSION = '3.0.4'
DEFAULT_RULES = [:textile, :markdown]
href, alt_title = check_refs( href ) if href
url, url_title = check_refs( url )
+ return m unless uri_with_safe_scheme?(url)
+
out = ''
out << "<a#{ shelve( " href=\"#{ href }\"" ) }>" if href
out << "<img#{ shelve( atts ) } />"
class Base
include Singleton
include Redmine::I18n
+ include Redmine::Helpers::URL
include ERB::Util
class_attribute :format_name
# Returns the validation errors for custom_field
# Should return an empty array if custom_field is valid
def validate_custom_field(custom_field)
- []
+ errors = []
+ pattern = custom_field.url_pattern
+ if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern))
+ errors << [:url_pattern, :invalid]
+ end
+ errors
end
# Returns the validation error messages for custom_value
url = url_from_pattern(custom_field, single_value, customized)
[text, url]
end
- links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url}
+ links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url}
links.join(', ').html_safe
else
casted
end
protected :url_from_pattern
+ # Returns the URL pattern with substitution tokens removed,
+ # for validation purpose
+ def url_pattern_without_tokens(url_pattern)
+ url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '')
+ end
+ protected :url_pattern_without_tokens
+
def edit_tag(view, tag_id, tag_name, custom_value, options={})
view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id))
end
--- /dev/null
+# Redmine - project management software
+# Copyright (C) 2006-2016 Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+require 'uri'
+
+module Redmine
+ module Helpers
+ module URL
+ def uri_with_safe_scheme?(uri, schemes = ['http', 'https', 'ftp', 'mailto', nil])
+ # URLs relative to the current document or document root (without a protocol
+ # separator, should be harmless
+ return true unless uri.include? ":"
+
+ # Other URLs need to be parsed
+ schemes.include? URI.parse(uri).scheme
+ rescue URI::InvalidURIError
+ false
+ end
+ end
+ end
+end
module Markdown
class HTML < Redcarpet::Render::HTML
include ActionView::Helpers::TagHelper
+ include Redmine::Helpers::URL
def link(link, title, content)
+ return nil unless uri_with_safe_scheme?(link)
+
css = nil
unless link && link.starts_with?('/')
css = 'external'
"<pre>" + CGI.escapeHTML(code) + "</pre>"
end
end
+
+ def image(link, title, alt_text)
+ return unless uri_with_safe_scheme?(link)
+
+ tag('img', :src => link, :alt => alt_text || "", :title => title)
+ end
end
class Formatter
attachment = Attachment.generate!(:filename => 'café.jpg')
with_settings :text_formatting => 'markdown' do
- assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="">),
+ assert_include %(<img src="/attachments/download/#{attachment.id}/caf%C3%A9.jpg" alt="" />),
textilizable("", :attachments => [attachment])
end
end
class Redmine::FieldFormatTest < ActionView::TestCase
include ApplicationHelper
+ def setup
+ set_language_if_valid 'en'
+ end
+
def test_string_field_with_text_formatting_disabled_should_not_format_text
field = IssueCustomField.new(:field_format => 'string')
custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "*foo*")
assert_include "<strong>foo</strong>", field.format.formatted_custom_value(self, custom_value, true)
end
+ def test_should_validate_url_pattern_with_safe_scheme
+ field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'http://foo/%value%')
+ assert_save field
+ end
+
+ def test_should_not_validate_url_pattern_with_unsafe_scheme
+ field = IssueCustomField.new(:field_format => 'string', :name => 'URL', :url_pattern => 'foo://foo/%value%')
+ assert !field.save
+ assert_include "URL is invalid", field.errors.full_messages
+ end
+
def test_text_field_with_url_pattern_should_format_as_link
field = IssueCustomField.new(:field_format => 'string', :url_pattern => 'http://foo/%value%')
custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar")
projects / redmine.git / commitdiff