From 904752b2254199ff8f1513afa93a9e738c630929 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Sun, 4 Dec 2022 08:14:51 +0000 Subject: [PATCH] Merge r21986 from trunk to 5.0-stable (#37755). git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@21988 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/helpers/application_helper.rb | 2 +- test/helpers/application_helper_test.rb | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 3bb8a602d..5c5cf39a5 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -60,7 +60,7 @@ module ApplicationHelper case principal when User name = h(principal.name(options[:format])) - name = "@" + name if options[:mention] + name = "@".html_safe + name if options[:mention] css_classes = '' if principal.active? || (User.current.admin? && principal.logged?) url = user_url(principal, :only_path => only_path) diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb index 452892e8b..c68f7495c 100644 --- a/test/helpers/application_helper_test.rb +++ b/test/helpers/application_helper_test.rb @@ -1841,6 +1841,16 @@ class ApplicationHelperTest < Redmine::HelperTest assert_equal result, link_to_principal(unknown_principal, :class => 'bar') end + def test_link_to_principal_should_escape_principal_name + user = User.generate!(firstname: "firstname<>'", lastname: 'lastname&"') + group = Group.generate!(lastname: "group<>'&") + + assert_include "firstname<>' lastname&"", link_to_principal(user) + assert_include "@firstname<>' lastname&"", link_to_principal(user, { mention: true }) + assert_include "group<>'&", link_to_principal(group) + assert_include "<>'&", link_to_principal("<>'&") + end + def test_link_to_group_should_return_only_group_name_for_non_admin_users User.current = nil group = Group.find(10) -- 2.39.5