diff options
| author | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-06-17 02:09:13 +0300 |
|---|---|---|
| committer | Douglas Barbosa Alexandre <dbalexandre@gmail.com> | 2016-07-06 02:57:09 +0300 |
| commit | e186626d25d5a24e2f2c5f0b5082b79bc8bd0ddf (patch) | |
| tree | 05a9fe5ac36515ff1146418875daf9147a285d86 /app | |
| parent | cfd5870b62e9d76e564ffc64db1d1281b4a363bb (diff) | |
Allow '?', or '&' for label titles
Diffstat (limited to 'app')
| -rw-r--r-- | app/assets/javascripts/labels_select.js.coffee | 4 | ||||
| -rw-r--r-- | app/models/label.rb | 20 |
2 files changed, 19 insertions, 5 deletions
diff --git a/app/assets/javascripts/labels_select.js.coffee b/app/assets/javascripts/labels_select.js.coffee index ce859fedb2d..b88bc402801 100644 --- a/app/assets/javascripts/labels_select.js.coffee +++ b/app/assets/javascripts/labels_select.js.coffee @@ -32,9 +32,9 @@ class @LabelsSelect if issueUpdateURL labelHTMLTemplate = _.template( '<% _.each(labels, function(label){ %> - <a href="<%- ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%- label.title %>"> + <a href="<%- ["",issueURLSplit[1], issueURLSplit[2],""].join("/") %>issues?label_name[]=<%= encodeURIComponent(label.title) %>"> <span class="label has-tooltip color-label" title="<%- label.description %>" style="background-color: <%- label.color %>; color: <%- label.text_color %>;"> - <%- label.title %> + <%= label.title %> </span> </a> <% }); %>' diff --git a/app/models/label.rb b/app/models/label.rb index 49c352cc239..115f38c6dfe 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -20,10 +20,10 @@ class Label < ActiveRecord::Base validates :color, color: true, allow_blank: false validates :project, presence: true, unless: Proc.new { |service| service.template? } - # Don't allow '?', '&', and ',' for label titles + # Don't allow ',' for label titles validates :title, presence: true, - format: { with: /\A[^&\?,]+\z/ }, + format: { with: /\A[^,]+\z/ }, uniqueness: { scope: :project_id } before_save :nullify_priority @@ -114,7 +114,7 @@ class Label < ActiveRecord::Base end def title=(value) - write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? + write_attribute(:title, sanitize_title(value)) if value.present? end private @@ -132,4 +132,18 @@ class Label < ActiveRecord::Base def nullify_priority self.priority = nil if priority.blank? end + + def sanitize_title(value) + unnescape_html_entities(Sanitize.clean(value.to_s)) + end + + def unnescape_html_entities(value) + value.to_s.gsub(/(>)|(<)|(&)/, Label::TABLE_FOR_ESCAPE_HTML_ENTITIES.invert) + end + + TABLE_FOR_ESCAPE_HTML_ENTITIES = { + '&' => '&', + '<' => '<', + '>' => '>' + } end |