summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorJean-Philippe Lang <jp_lang@yahoo.fr>2016-03-26 10:20:10 +0000
committerJean-Philippe Lang <jp_lang@yahoo.fr>2016-03-26 10:20:10 +0000
commit25eb92c0dc337b3a1167642433a3d6af73c1a68d (patch)
treea97eb7469659d2446be79de08587bc7e1e60bce4 /lib
parent197ec295e036f3aaf574df3a804a29a88c48161d (diff)
downloadredmine-25eb92c0dc337b3a1167642433a3d6af73c1a68d.tar.gz
redmine-25eb92c0dc337b3a1167642433a3d6af73c1a68d.zip
Text in the "removed" part of a diff is double-escaped (#22115).
Patch by Felix Schäfer. git-svn-id: http://svn.redmine.org/redmine/trunk@15287 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'lib')
-rw-r--r--lib/redmine/helpers/diff.rb8
1 files changed, 5 insertions, 3 deletions
diff --git a/lib/redmine/helpers/diff.rb b/lib/redmine/helpers/diff.rb
index aa1860ac7..a6d81620a 100644
--- a/lib/redmine/helpers/diff.rb
+++ b/lib/redmine/helpers/diff.rb
@@ -23,6 +23,7 @@ module Redmine
include ERB::Util
include ActionView::Helpers::TagHelper
include ActionView::Helpers::TextHelper
+ include ActionView::Helpers::OutputSafetyHelper
attr_reader :diff, :words
def initialize(content_to, content_from)
@@ -53,7 +54,7 @@ module Redmine
else
del_at = pos unless del_at
deleted << ' ' unless deleted.empty?
- deleted << h(change[2])
+ deleted << change[2]
words_del += 1
end
end
@@ -62,13 +63,14 @@ module Redmine
words[add_to] = words[add_to] + '</span>'.html_safe
end
if del_at
- words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + deleted + '</span>'.html_safe
+ # deleted is not safe html at this point
+ words.insert del_at - del_off + dels + words_add, '<span class="diff_out">'.html_safe + h(deleted) + '</span>'.html_safe
dels += 1
del_off += words_del
words_del = 0
end
end
- words.join(' ').html_safe
+ safe_join(words, ' ')
end
end
end