diff options
| author | Toshi MARUYAMA <marutosijp2@yahoo.co.jp> | 2019-12-05 12:03:28 +0000 |
|---|---|---|
| committer | Toshi MARUYAMA <marutosijp2@yahoo.co.jp> | 2019-12-05 12:03:28 +0000 |
| commit | 4a6804087e9e552e8635ae62e06d970fe0b37911 (patch) | |
| tree | 1ec97315c6c6be6c8e39402de7270931ab5e3e1a | |
| parent | 433154d357285f67fa582792cb04fea9e789f960 (diff) | |
| download | redmine-4a6804087e9e552e8635ae62e06d970fe0b37911.tar.gz redmine-4a6804087e9e552e8635ae62e06d970fe0b37911.zip | |
Merged r19333 from trunk to 4.1-stable (#25742)
Filter all possibly class values on code tags in Textile.
Contributed by Holger Just from Planio.
git-svn-id: http://svn.redmine.org/redmine/branches/4.1-stable@19334 e93f8b46-1217-0410-a6f0-8f06a7374b81
| -rw-r--r-- | lib/redmine/wiki_formatting/textile/formatter.rb | 7 | ||||
| -rw-r--r-- | test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb | 8 |
2 files changed, 12 insertions, 3 deletions
diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb index 47ddfbb0f..2858e9805 100644 --- a/lib/redmine/wiki_formatting/textile/formatter.rb +++ b/lib/redmine/wiki_formatting/textile/formatter.rb @@ -123,9 +123,10 @@ module Redmine ## replace <pre> content text.gsub!(/<redpre#(\d+)>/) do content = @pre_list[$1.to_i] - if content.match(/<code\s+class=["'](\w+)["']>\s?(.+)/m) - language = $1 - text = $2 + # This regex must match any data produced by RedCloth3#rip_offtags + if content.match(/<code\s+class=(?:"([^"]+)"|'([^']+)')>\s?(.*)/m) + language = $1 || $2 + text = $3 if Redmine::SyntaxHighlighting.language_supported?(language) text.gsub!(/x%x%/, '&') content = "<code class=\"#{language} syntaxhl\">" + diff --git a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb index 65d12ad98..1fb0dd32e 100644 --- a/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb +++ b/test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb @@ -557,9 +557,17 @@ STR def test_should_not_allow_arbitrary_class_attribute_on_offtags %w(code pre kbd).each do |tag| assert_html_output({"<#{tag} class=\"foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false) + assert_html_output({"<#{tag} class='foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false) + assert_html_output({"<#{tag} class=\"ruby foo\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false) + assert_html_output({"<#{tag} class='ruby foo'>test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false) + assert_html_output({"<#{tag} class=\"ruby \"foo\" bar\">test</#{tag}>" => "<#{tag}>test</#{tag}>"}, false) end assert_html_output({"<notextile class=\"foo\">test</notextile>" => "test"}, false) + assert_html_output({"<notextile class='foo'>test</notextile>" => "test"}, false) + assert_html_output({"<notextile class=\"ruby foo\">test</notextile>" => "test"}, false) + assert_html_output({"<notextile class='ruby foo'>test</notextile>" => "test"}, false) + assert_html_output({"<notextile class=\"ruby \"foo\" bar\">test</notextile>" => "test"}, false) end def test_should_allow_valid_language_class_attribute_on_code_tags |