From 31692910393205203d20be1bd12f7c9fe39ee796 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 24 Dec 2008 11:42:05 +0000
Subject: [PATCH] Merged r2143 and r2144 from trunk.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/branches/0.7-stable@2174 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/views/journals/_notes_form.rhtml         | 4 ++--
 lib/redcloth.rb                              | 6 +++++-
 test/unit/helpers/application_helper_test.rb | 2 ++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/views/journals/_notes_form.rhtml b/app/views/journals/_notes_form.rhtml
index 9baec03fa..6fd58309a 100644
--- a/app/views/journals/_notes_form.rhtml
+++ b/app/views/journals/_notes_form.rhtml
@@ -1,6 +1,6 @@
 <% form_remote_tag(:url => {}, :html => { :id => "journal-#{@journal.id}-form" }) do %>
-    <%= text_area_tag :notes, @journal.notes, :class => 'wiki-edit', 
-                                              :rows => (@journal.notes.blank? ? 10 : [[10, @journal.notes.length / 50].max, 100].min) %>
+    <%= text_area_tag :notes, h(@journal.notes), :class => 'wiki-edit', 
+                                                 :rows => (@journal.notes.blank? ? 10 : [[10, @journal.notes.length / 50].max, 100].min) %>
     <p><%= submit_tag l(:button_save) %>
     <%= link_to l(:button_cancel), '#', :onclick => "Element.remove('journal-#{@journal.id}-form'); " +
                                                     "Element.show('journal-#{@journal.id}-notes'); return false;" %></p>
diff --git a/lib/redcloth.rb b/lib/redcloth.rb
index 2b36421d9..4faa4b9e5 100644
--- a/lib/redcloth.rb
+++ b/lib/redcloth.rb
@@ -433,12 +433,15 @@ class RedCloth < String
     #
     # Flexible HTML escaping
     #
-    def htmlesc( str, mode )
+    def htmlesc( str, mode=:Quotes )
+      if str
         str.gsub!( '&', '&amp;' )
         str.gsub!( '"', '&quot;' ) if mode != :NoQuotes
         str.gsub!( "'", '&#039;' ) if mode == :Quotes
         str.gsub!( '<', '&lt;')
         str.gsub!( '>', '&gt;')
+      end
+      str
     end
 
     # Search and replace for Textile glyphs (quotes, dashes, other symbols)
@@ -890,6 +893,7 @@ class RedCloth < String
     def inline_textile_image( text ) 
         text.gsub!( IMAGE_RE )  do |m|
             stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
+	    htmlesc title
             atts = pba( atts )
             atts = " src=\"#{ url }\"#{ atts }"
             atts << " title=\"#{ title }\"" if title
diff --git a/test/unit/helpers/application_helper_test.rb b/test/unit/helpers/application_helper_test.rb
index 5fdf65961..e20866786 100644
--- a/test/unit/helpers/application_helper_test.rb
+++ b/test/unit/helpers/application_helper_test.rb
@@ -50,6 +50,8 @@ class ApplicationHelperTest < HelperTestCase
       'floating !>http://foo.bar/image.jpg!' => 'floating <div style="float:right"><img src="http://foo.bar/image.jpg" alt="" /></div>',
       'with class !(some-class)http://foo.bar/image.jpg!' => 'with class <img src="http://foo.bar/image.jpg" class="some-class" alt="" />',
       'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" style="width:100px;height100px;" alt="" />',
+      'with title !http://foo.bar/image.jpg(This is a title)!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a title" alt="This is a title" />',
+      'with title !http://foo.bar/image.jpg(This is a double-quoted "title")!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a double-quoted &quot;title&quot;" alt="This is a double-quoted &quot;title&quot;" />',
     }
     to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
   end
-- 
2.39.5