From 823080b45e58563f989b992789ed340d358ed955 Mon Sep 17 00:00:00 2001 From: Marius Balteanu Date: Tue, 4 Oct 2022 19:50:01 +0000 Subject: Uses the new html sanitizer for links rendered by custom fields (#37750). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Jens Krämer. git-svn-id: https://svn.redmine.org/redmine/trunk@21901 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- lib/redmine/field_format.rb | 12 +++++++----- test/unit/lib/redmine/field_format/field_format_test.rb | 8 ++++---- test/unit/lib/redmine/field_format/link_format_test.rb | 14 +++++++------- test/unit/lib/redmine/field_format/list_format_test.rb | 4 ++-- test/unit/lib/redmine/field_format/numeric_format_test.rb | 2 +- 5 files changed, 21 insertions(+), 19 deletions(-) diff --git a/lib/redmine/field_format.rb b/lib/redmine/field_format.rb index 5068667e1..759a4a2b0 100644 --- a/lib/redmine/field_format.rb +++ b/lib/redmine/field_format.rb @@ -255,15 +255,18 @@ module Redmine [text, url] end links = texts_and_urls.sort_by(&:first).map do |text, url| - css_class = (/^https?:\/\//.match?(url)) ? 'external' : nil - view.link_to_if uri_with_safe_scheme?(url), text, url, :class => css_class + view.link_to text, url end - links.join(', ').html_safe + sanitize_html links.join(', ') else casted end end + def sanitize_html(html) + Redmine::WikiFormatting::HtmlSanitizer.call(html).html_safe + end + # Returns an URL generated with the custom field URL pattern # and variables substitution: # %value% => the custom field value @@ -463,8 +466,7 @@ module Redmine url = "http://" + url end end - css_class = (/^https?:\/\//.match?(url)) ? 'external' : nil - view.link_to value.to_s.truncate(40), url, :class => css_class + sanitize_html view.link_to(value.to_s.truncate(40), url) else value.to_s end diff --git a/test/unit/lib/redmine/field_format/field_format_test.rb b/test/unit/lib/redmine/field_format/field_format_test.rb index 5bcda2156..ee3ac7283 100644 --- a/test/unit/lib/redmine/field_format/field_format_test.rb +++ b/test/unit/lib/redmine/field_format/field_format_test.rb @@ -79,7 +79,7 @@ class Redmine::FieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar") assert_equal "bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) end def test_text_field_with_url_pattern_and_value_containing_a_space_should_format_as_link @@ -87,7 +87,7 @@ class Redmine::FieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "foo bar") assert_equal "foo bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'foo bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'foo bar', field.format.formatted_custom_value(self, custom_value, true) end def test_text_field_with_url_pattern_should_not_encode_url_pattern @@ -95,7 +95,7 @@ class Redmine::FieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "1") assert_equal "1", field.format.formatted_custom_value(self, custom_value, false) - assert_equal '1', field.format.formatted_custom_value(self, custom_value, true) + assert_equal '1', field.format.formatted_custom_value(self, custom_value, true) end def test_text_field_with_url_pattern_should_encode_values @@ -103,6 +103,6 @@ class Redmine::FieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "foo bar") assert_equal "foo bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'foo bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'foo bar', field.format.formatted_custom_value(self, custom_value, true) end end diff --git a/test/unit/lib/redmine/field_format/link_format_test.rb b/test/unit/lib/redmine/field_format/link_format_test.rb index e55b0b5af..d3666f5d0 100644 --- a/test/unit/lib/redmine/field_format/link_format_test.rb +++ b/test/unit/lib/redmine/field_format/link_format_test.rb @@ -31,7 +31,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "bar") assert_equal "bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_should_substitute_object_id_in_url @@ -42,7 +42,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => object, :value => "bar") assert_equal "bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_should_substitute_project_id_in_url @@ -55,7 +55,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => object, :value => "bar") assert_equal "bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_should_substitute_project_identifier_in_url @@ -68,7 +68,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => object, :value => "bar") assert_equal "bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'bar', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_should_substitute_regexp_groups @@ -76,7 +76,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "56-142") assert_equal "56-142", field.format.formatted_custom_value(self, custom_value, false) - assert_equal '56-142', field.format.formatted_custom_value(self, custom_value, true) + assert_equal '56-142', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_without_url_pattern_should_link_to_value @@ -84,7 +84,7 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "http://foo/bar") assert_equal "http://foo/bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'http://foo/bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'http://foo/bar', field.format.formatted_custom_value(self, custom_value, true) end def test_link_field_without_url_pattern_should_link_to_value_with_http_by_default @@ -92,6 +92,6 @@ class Redmine::LinkFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "foo.bar") assert_equal "foo.bar", field.format.formatted_custom_value(self, custom_value, false) - assert_equal 'foo.bar', field.format.formatted_custom_value(self, custom_value, true) + assert_equal 'foo.bar', field.format.formatted_custom_value(self, custom_value, true) end end diff --git a/test/unit/lib/redmine/field_format/list_format_test.rb b/test/unit/lib/redmine/field_format/list_format_test.rb index 2d2a1dbe8..d2ec52aeb 100644 --- a/test/unit/lib/redmine/field_format/list_format_test.rb +++ b/test/unit/lib/redmine/field_format/list_format_test.rb @@ -144,14 +144,14 @@ class Redmine::ListFieldFormatTest < ActionView::TestCase def test_field_with_url_pattern_should_link_value field = IssueCustomField.new(:field_format => 'list', :url_pattern => 'http://localhost/%value%') formatted = field.format.formatted_value(self, field, 'foo', Issue.new, true) - assert_equal 'foo', formatted + assert_equal 'foo', formatted assert formatted.html_safe? end def test_field_with_url_pattern_and_multiple_values_should_link_values field = IssueCustomField.new(:field_format => 'list', :url_pattern => 'http://localhost/%value%') formatted = field.format.formatted_value(self, field, ['foo', 'bar'], Issue.new, true) - assert_equal 'bar, foo', formatted + assert_equal 'bar, foo', formatted assert formatted.html_safe? end diff --git a/test/unit/lib/redmine/field_format/numeric_format_test.rb b/test/unit/lib/redmine/field_format/numeric_format_test.rb index fa558a377..1cee59a4f 100644 --- a/test/unit/lib/redmine/field_format/numeric_format_test.rb +++ b/test/unit/lib/redmine/field_format/numeric_format_test.rb @@ -32,6 +32,6 @@ class Redmine::NumericFieldFormatTest < ActionView::TestCase custom_value = CustomValue.new(:custom_field => field, :customized => Issue.new, :value => "3") assert_equal 3, field.format.formatted_custom_value(self, custom_value, false) - assert_equal '3', field.format.formatted_custom_value(self, custom_value, true) + assert_equal '3', field.format.formatted_custom_value(self, custom_value, true) end end -- cgit v1.2.3