Limits the schemes that custom field URL patterns can use (#22925).

git-svn-id: http://svn.redmine.org/redmine/trunk@15435 e93f8b46-1217-0410-a6f0-8f06a7374b81
author: Jean-Philippe Lang <jp_lang@yahoo.fr> 2016-06-01 19:27:09 +0000
committer: Jean-Philippe Lang <jp_lang@yahoo.fr> 2016-06-01 19:27:09 +0000
commit: 91e991e9517fdeecf7b495957e90af7536486547 (patch)
tree: 1827a862165e421651c767d9ff796deb09947f90 /lib/redmine/field_format.rb
parent: dac22ebb396248529da588664da8ea4046aa38d1 (diff)
download: redmine-91e991e9517fdeecf7b495957e90af7536486547.tar.gz
redmine-91e991e9517fdeecf7b495957e90af7536486547.zip
1 files changed, 15 insertions, 2 deletions
diff --git a/lib/redmine/field_format.rb b/lib/redmine/field_format.rb
index dd94eeefd..77014579b 100644
--- a/lib/redmine/field_format.rb
+++ b/lib/redmine/field_format.rb
@@ -48,6 +48,7 @@ module Redmine
     class Base
       include Singleton
       include Redmine::I18n
+      include Redmine::Helpers::URL
       include ERB::Util
 
       class_attribute :format_name
@@ -149,7 +150,12 @@ module Redmine
       # Returns the validation errors for custom_field
       # Should return an empty array if custom_field is valid
       def validate_custom_field(custom_field)
-        []
+        errors = []
+        pattern = custom_field.url_pattern
+        if pattern.present? && !uri_with_safe_scheme?(url_pattern_without_tokens(pattern))
+          errors << [:url_pattern, :invalid]
+        end
+        errors
       end
 
       # Returns the validation error messages for custom_value
@@ -178,7 +184,7 @@ module Redmine
             url = url_from_pattern(custom_field, single_value, customized)
             [text, url]
           end
-          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to text, url}
+          links = texts_and_urls.sort_by(&:first).map {|text, url| view.link_to_if uri_with_safe_scheme?(url), text, url}
           links.join(', ').html_safe
         else
           casted
@@ -210,6 +216,13 @@ module Redmine
       end
       protected :url_from_pattern
 
+      # Returns the URL pattern with substitution tokens removed,
+      # for validation purpose
+      def url_pattern_without_tokens(url_pattern)
+        url_pattern.to_s.gsub(/%(value|id|project_id|project_identifier|m\d+)%/, '')
+      end
+      protected :url_pattern_without_tokens
+
       def edit_tag(view, tag_id, tag_name, custom_value, options={})
         view.text_field_tag(tag_name, custom_value.value, options.merge(:id => tag_id))
       end
author	Jean-Philippe Lang <jp_lang@yahoo.fr>	2016-06-01 19:27:09 +0000
committer	Jean-Philippe Lang <jp_lang@yahoo.fr>	2016-06-01 19:27:09 +0000
commit	91e991e9517fdeecf7b495957e90af7536486547 (patch)
tree	1827a862165e421651c767d9ff796deb09947f90 /lib/redmine/field_format.rb
parent	dac22ebb396248529da588664da8ea4046aa38d1 (diff)
download	redmine-91e991e9517fdeecf7b495957e90af7536486547.tar.gz redmine-91e991e9517fdeecf7b495957e90af7536486547.zip