From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Fri, 16 Sep 2011 01:52:30 +0000 (+0000)
Subject: HTML escape at parse_redmine_links() of app/helpers/application_helper.rb (#9252)
X-Git-Tag: 1.3.0~719
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=950d600f22600932ff43cab00fe4167271745950;p=redmine.git

HTML escape at parse_redmine_links() of app/helpers/application_helper.rb (#9252)

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@7249 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index cd8c439fc..d58461a5f 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -633,7 +633,7 @@ module ApplicationHelper
         if prefix.nil? && sep == 'r'
           # project.changesets.visible raises an SQL error because of a double join on repositories
           if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier))
-            link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
+            link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
                                       :class => 'changeset',
                                       :title => truncate_single_line(changeset.comments, :length => 100))
           end
@@ -683,7 +683,7 @@ module ApplicationHelper
             if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"]))
               link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier},
                                            :class => 'changeset',
-                                           :title => truncate_single_line(changeset.comments, :length => 100)
+                                           :title => truncate_single_line(h(changeset.comments), :length => 100)
             end
           when 'source', 'export'
             if project && project.repository && User.current.allowed_to?(:browse_repository, project)