From: Toshi MARUYAMA <marutosijp2@yahoo.co.jp>
Date: Thu, 5 Dec 2019 12:06:03 +0000 (+0000)
Subject: Merged r19333 from trunk to 3.4-stable (#25742)
X-Git-Tag: 3.4.13~4
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=c3474a96b22ded58e556cc290d804b25b3e6279a;p=redmine.git

Merged r19333 from trunk to 3.4-stable (#25742)

Filter all possibly class values on code tags in Textile.

Contributed by Holger Just from Planio.

git-svn-id: http://svn.redmine.org/redmine/branches/3.4-stable@19336 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb
index 6e7f28e62..eef2253b2 100644
--- a/lib/redmine/wiki_formatting/textile/formatter.rb
+++ b/lib/redmine/wiki_formatting/textile/formatter.rb
@@ -120,9 +120,10 @@ module Redmine
             ## replace <pre> content
             text.gsub!(/<redpre#(\d+)>/) do
               content = @pre_list[$1.to_i]
-              if content.match(/<code\s+class=["'](\w+)["']>\s?(.+)/m)
-                language = $1
-                text = $2
+              # This regex must match any data produced by RedCloth3#rip_offtags
+              if content.match(/<code\s+class=(?:"([^"]+)"|'([^']+)')>\s?(.*)/m)
+                language = $1 || $2
+                text = $3
                 if Redmine::SyntaxHighlighting.language_supported?(language)
                   content = "<code class=\"#{language} syntaxhl\">" +
                     Redmine::SyntaxHighlighting.highlight_by_language(text, language)
diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
index 08ffba0ce..05047dce6 100644
--- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb
@@ -536,9 +536,17 @@ STR
   def test_should_not_allow_arbitrary_class_attribute_on_offtags
     %w(code pre kbd).each do |tag|
       assert_html_output({"<#{tag} class=\"foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class='foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class=\"ruby foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class='ruby foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
+      assert_html_output({"<#{tag} class=\"ruby \"foo\" bar\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false)
     end
 
     assert_html_output({"<notextile class=\"foo\">test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class='foo'>test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class=\"ruby foo\">test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class='ruby foo'>test</notextile>" => "test"}, false)
+    assert_html_output({"<notextile class=\"ruby \"foo\" bar\">test</notextile>" => "test"}, false)
   end
 
   def test_should_allow_valid_language_class_attribute_on_code_tags