Commit 33cf1673 authored by Jan Provaznik's avatar Jan Provaznik

Merge branch '31034-escape-string-range-marker' into 'master'

Fix HTML escaping in StringRangeMarker

See merge request gitlab-org/gitlab!20426
parents 8807c85f 5dfddb5f
...@@ -121,7 +121,7 @@ module Banzai ...@@ -121,7 +121,7 @@ module Banzai
def autolink_filter(text) def autolink_filter(text)
Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_PATTERN) do |link, left:, right:| Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_PATTERN) do |link, left:, right:|
autolink_match(link) autolink_match(link).html_safe
end end
end end
......
...@@ -77,7 +77,7 @@ module Banzai ...@@ -77,7 +77,7 @@ module Banzai
def spaced_link_filter(text) def spaced_link_filter(text)
Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_OR_IMAGE_PATTERN) do |link, left:, right:| Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_OR_IMAGE_PATTERN) do |link, left:, right:|
spaced_link_match(link) spaced_link_match(link).html_safe
end end
end end
......
...@@ -62,7 +62,7 @@ module Gitlab ...@@ -62,7 +62,7 @@ module Gitlab
end end
def link_tag(name, url) def link_tag(name, url)
%{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>} %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
end end
# Links package names based on regex. # Links package names based on regex.
......
...@@ -9,7 +9,7 @@ module Gitlab ...@@ -9,7 +9,7 @@ module Gitlab
def mark(line_inline_diffs, mode: nil) def mark(line_inline_diffs, mode: nil)
super(line_inline_diffs) do |text, left:, right:| super(line_inline_diffs) do |text, left:, right:|
%{<span class="#{html_class_names(left, right, mode)}">#{text}</span>} %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}.html_safe
end end
end end
......
...@@ -9,7 +9,7 @@ describe Gitlab::StringRangeMarker do ...@@ -9,7 +9,7 @@ describe Gitlab::StringRangeMarker do
inline_diffs = [2..5] inline_diffs = [2..5]
described_class.new(raw, rich).mark(inline_diffs) do |text, left:, right:| described_class.new(raw, rich).mark(inline_diffs) do |text, left:, right:|
"LEFT#{text}RIGHT" "LEFT#{text}RIGHT".html_safe
end end
end end
......
...@@ -10,7 +10,7 @@ describe Gitlab::StringRegexMarker do ...@@ -10,7 +10,7 @@ describe Gitlab::StringRegexMarker do
subject do subject do
described_class.new(raw, rich).mark(/"[^"]+":\s*"(?<name>[^"]+)"/, group: :name) do |text, left:, right:| described_class.new(raw, rich).mark(/"[^"]+":\s*"(?<name>[^"]+)"/, group: :name) do |text, left:, right:|
%{<a href="#">#{text}</a>} %{<a href="#">#{text}</a>}.html_safe
end end
end end
...@@ -26,7 +26,7 @@ describe Gitlab::StringRegexMarker do ...@@ -26,7 +26,7 @@ describe Gitlab::StringRegexMarker do
subject do subject do
described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:| described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:|
%{<strong>#{text}</strong>} %{<strong>#{text}</strong>}.html_safe
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment