Browse Source
Explicitly render a 404 on non-JS requests to messages#quote (#39999).
Patch by Holger Just (@hjust). git-svn-id: https://svn.redmine.org/redmine/trunk@22584 e93f8b46-1217-0410-a6f0-8f06a7374b81pull/145/merge
Marius Balteanu
4 months ago
2 changed files with 18 additions and 0 deletions
+ 5
- 0
app/controllers/messages_controller.rb
View File
| @@ -125,6 +125,11 @@ class MessagesController < ApplicationController | |||
| @content = +"#{ll(Setting.default_language, :text_user_wrote_in, {:value => @message.author, :link => "message##{@message.id}"})}\n> " | |||
| end | |||
| @content << @message.content.to_s.strip.gsub(%r{<pre>(.*?)</pre>}m, '[...]').gsub(/(\r?\n|\r\n?)/, "\n> ") + "\n\n" | |||
| respond_to do |format| | |||
| format.html { render_404 } | |||
| format.js | |||
| end | |||
| end | |||
| def preview | |||
+ 13
- 0
test/functional/messages_controller_test.rb
View File
| @@ -311,6 +311,19 @@ class MessagesControllerTest < Redmine::ControllerTest | |||
| assert_include '> An other reply', response.body | |||
| end | |||
| def test_quote_as_html_should_respond_with_404 | |||
| @request.session[:user_id] = 2 | |||
| get( | |||
| :quote, | |||
| :params => { | |||
| :board_id => 1, | |||
| :id => 3 | |||
| }, | |||
| ) | |||
| assert_response 404 | |||
| end | |||
| def test_preview_new | |||
| @request.session[:user_id] = 2 | |||
| post( | |||
Loading…