Merge branch '31034-escape-string-range-marker' into 'master'

Fix HTML escaping in StringRangeMarker See merge request gitlab-org/gitlab!20426

Merge branch '31034-escape-string-range-marker' into 'master'
Fix HTML escaping in StringRangeMarker See merge request gitlab-org/gitlab!20426
33cf1673 · Jan Provaznik · 8807c85f · 5dfddb5f · 33cf1673 · 33cf1673
Commit 33cf1673 authored Nov 26, 2019 by Jan Provaznik
6 changed files
--- a/lib/banzai/filter/autolink_filter.rb
+++ b/lib/banzai/filter/autolink_filter.rb
@@ -121,7 +121,7 @@ module Banzai

      def autolink_filter(text)
        Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_PATTERN) do |link, left:, right:|
-          autolink_match(link)
+          autolink_match(link).html_safe
        end
      end


--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@@ -77,7 +77,7 @@ module Banzai

      def spaced_link_filter(text)
        Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_OR_IMAGE_PATTERN) do |link, left:, right:|
-          spaced_link_match(link)
+          spaced_link_match(link).html_safe
        end
      end


--- a/lib/gitlab/dependency_linker/base_linker.rb
+++ b/lib/gitlab/dependency_linker/base_linker.rb
@@ -62,7 +62,7 @@ module Gitlab
      end

      def link_tag(name, url)
-        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}
+        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
      end

      # Links package names based on regex.

--- a/lib/gitlab/diff/inline_diff_marker.rb
+++ b/lib/gitlab/diff/inline_diff_marker.rb
@@ -9,7 +9,7 @@ module Gitlab

      def mark(line_inline_diffs, mode: nil)
        super(line_inline_diffs) do |text, left:, right:|
-          %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
+          %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}.html_safe
        end
      end


--- a/spec/lib/gitlab/string_range_marker_spec.rb
+++ b/spec/lib/gitlab/string_range_marker_spec.rb
@@ -9,7 +9,7 @@ describe Gitlab::StringRangeMarker do
      inline_diffs = [2..5]

      described_class.new(raw, rich).mark(inline_diffs) do |text, left:, right:|
-        "LEFT#{text}RIGHT"
+        "LEFT#{text}RIGHT".html_safe
      end
    end


--- a/spec/lib/gitlab/string_regex_marker_spec.rb
+++ b/spec/lib/gitlab/string_regex_marker_spec.rb
@@ -10,7 +10,7 @@ describe Gitlab::StringRegexMarker do

      subject do
        described_class.new(raw, rich).mark(/"[^"]+":\s*"(?<name>[^"]+)"/, group: :name) do |text, left:, right:|
-          %{<a href="#">#{text}</a>}
+          %{<a href="#">#{text}</a>}.html_safe
        end
      end

@@ -26,7 +26,7 @@ describe Gitlab::StringRegexMarker do

      subject do
        described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:|
-          %{<strong>#{text}</strong>}
+          %{<strong>#{text}</strong>}.html_safe
        end
      end