diff options
| author | Go MAEDA <maeda@farend.jp> | 2021-03-19 04:37:46 +0000 |
|---|---|---|
| committer | Go MAEDA <maeda@farend.jp> | 2021-03-19 04:37:46 +0000 |
| commit | 35f5165c2dfc0364514541d38840e12024e2bc91 (patch) | |
| tree | a6683fb33bf1b1e0e50ab6a8f8499d973dc87c1d | |
| parent | 12307232ca013dbd856a44043d05e51d22fe79f2 (diff) | |
| download | redmine-35f5165c2dfc0364514541d38840e12024e2bc91.tar.gz redmine-35f5165c2dfc0364514541d38840e12024e2bc91.zip | |
Merged r20827 from trunk to 4.1-stable (#33846).
git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@20828 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | public/javascripts/application.js | 9 | ||||
| -rw-r--r-- | test/system/inline_autocomplete_test.rb | 13 |
2 files changed, 22 insertions, 0 deletions
diff --git a/public/javascripts/application.js b/public/javascripts/application.js index c1b1c7c71..e2cd3d1b7 100644 --- a/public/javascripts/application.js +++ b/public/javascripts/application.js @@ -8,6 +8,12 @@ $.ajaxPrefilter(function (s) { } }); +function sanitizeHTML(string) { + var temp = document.createElement('span'); + temp.textContent = string; + return temp.innerHTML; +} + function checkAll(id, checked) { $('#'+id).find('input[type=checkbox]:enabled').prop('checked', checked); } @@ -1062,6 +1068,9 @@ function inlineAutoComplete(element) { requireLeadingSpace: true, selectTemplate: function (issue) { return '#' + issue.original.id; + }, + menuItemTemplate: function (issue) { + return sanitizeHTML(issue.original.label); } }); diff --git a/test/system/inline_autocomplete_test.rb b/test/system/inline_autocomplete_test.rb index 7d557f4c6..04bf0dd0c 100644 --- a/test/system/inline_autocomplete_test.rb +++ b/test/system/inline_autocomplete_test.rb @@ -129,4 +129,17 @@ class InlineAutocompleteSystemTest < ApplicationSystemTestCase page.has_css?('.tribute-container li', minimum: 1) end + + def test_inline_autocomplete_for_issues_should_escape_html_elements + issue = Issue.generate!(subject: 'This issue has a <select> element', project_id: 1, tracker_id: 1) + + log_user('jsmith', 'jsmith') + visit 'projects/1/issues/new' + + fill_in 'Description', :with => '#This' + + within('.tribute-container') do + assert page.has_text? "Bug ##{issue.id}: This issue has a <select> element" + end + end end |