diff options
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | app/models/label.rb | 4 | ||||
| -rw-r--r-- | app/models/milestone.rb | 4 | ||||
| -rw-r--r-- | spec/lib/banzai/filter/milestone_reference_filter_spec.rb | 2 | ||||
| -rw-r--r-- | spec/models/label_spec.rb | 8 | ||||
| -rw-r--r-- | spec/models/milestone_spec.rb | 8 |
6 files changed, 26 insertions, 1 deletions
diff --git a/CHANGELOG b/CHANGELOG index aeade934b46..f8ae187348d 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -21,6 +21,7 @@ v 8.8.0 (unreleased) - Update SVG sanitizer to conform to SVG 1.1 - Updated search UI - Display informative message when new milestone is created + - Sanitize milestones and labels titles - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea) - Added button to toggle whitespaces changes on diff view - Backport GitHub Enterprise import support from EE diff --git a/app/models/label.rb b/app/models/label.rb index 9a22398d952..8a24a6e69b3 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -117,6 +117,10 @@ class Label < ActiveRecord::Base LabelsHelper::text_color_for_bg(self.color) end + def title=(value) + write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? + end + private def label_format_reference(format = :id) diff --git a/app/models/milestone.rb b/app/models/milestone.rb index 5ee8a965ad8..b19935cad6f 100644 --- a/app/models/milestone.rb +++ b/app/models/milestone.rb @@ -129,6 +129,10 @@ class Milestone < ActiveRecord::Base nil end + def title=(value) + write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? + end + # Sorts the issues for the given IDs. # # This method runs a single SQL query using a CASE statement to update the diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb index ebf3d7489b5..5beb61dac5c 100644 --- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb @@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do milestone.update_attribute(:title, %{"></a>whatever<a title="}) doc = reference_filter("milestone #{reference}") - expect(doc.text).to eq "milestone #{milestone.title}" + expect(doc.text).to eq "milestone \">whatever" end it 'includes default classes' do diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb index 0614ca1e7c9..b61c55a3f6d 100644 --- a/spec/models/label_spec.rb +++ b/spec/models/label_spec.rb @@ -55,6 +55,14 @@ describe Label, models: true do end end + describe "#title" do + let(:label) { create(:label, title: "<b>test</b>") } + + it "sanitizes title" do + expect(label.title).to eq("test") + end + end + describe '#to_reference' do context 'using id' do it 'returns a String reference to the object' do diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb index 72a4ea70228..e2c89a4b3e6 100644 --- a/spec/models/milestone_spec.rb +++ b/spec/models/milestone_spec.rb @@ -34,6 +34,14 @@ describe Milestone, models: true do let(:issue) { create(:issue) } let(:user) { create(:user) } + describe "#title" do + let(:milestone) { create(:milestone, title: "<b>test</b>") } + + it "sanitizes title" do + expect(milestone.title).to eq("test") + end + end + describe "unique milestone title per project" do it "shouldn't accept the same title in a project twice" do new_milestone = Milestone.new(project: milestone.project, title: milestone.title) |