diff options
| author | Marius Balteanu <marius.balteanu@zitec.com> | 2022-10-04 19:50:01 +0000 |
|---|---|---|
| committer | Marius Balteanu <marius.balteanu@zitec.com> | 2022-10-04 19:50:01 +0000 |
| commit | 823080b45e58563f989b992789ed340d358ed955 (patch) | |
| tree | 71254b64ab98c3c1308a7f7362e10ea08c9156c5 /lib/redmine/field_format.rb | |
| parent | 39151a89b6d1821eeea99b8e874aa85f1ab6117d (diff) | |
| download | redmine-823080b45e58563f989b992789ed340d358ed955.tar.gz redmine-823080b45e58563f989b992789ed340d358ed955.zip | |
Uses the new html sanitizer for links rendered by custom fields (#37750).
Patch by Jens Krämer.
git-svn-id: https://svn.redmine.org/redmine/trunk@21901 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'lib/redmine/field_format.rb')
| -rw-r--r-- | lib/redmine/field_format.rb | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/redmine/field_format.rb b/lib/redmine/field_format.rb index 5068667e1..759a4a2b0 100644 --- a/lib/redmine/field_format.rb +++ b/lib/redmine/field_format.rb @@ -255,15 +255,18 @@ module Redmine [text, url] end links = texts_and_urls.sort_by(&:first).map do |text, url| - css_class = (/^https?:\/\//.match?(url)) ? 'external' : nil - view.link_to_if uri_with_safe_scheme?(url), text, url, :class => css_class + view.link_to text, url end - links.join(', ').html_safe + sanitize_html links.join(', ') else casted end end + def sanitize_html(html) + Redmine::WikiFormatting::HtmlSanitizer.call(html).html_safe + end + # Returns an URL generated with the custom field URL pattern # and variables substitution: # %value% => the custom field value @@ -463,8 +466,7 @@ module Redmine url = "http://" + url end end - css_class = (/^https?:\/\//.match?(url)) ? 'external' : nil - view.link_to value.to_s.truncate(40), url, :class => css_class + sanitize_html view.link_to(value.to_s.truncate(40), url) else value.to_s end |