Fix HTML escaping in StringRangeMarker

Rails now handles html_safe when using string ranges to replace text. We need to mark the replacement text as HTML-safe so that it doesn't get escaped when it gets inserted into the HTML-safe string. Example: string = "<p>Hello</p>".html_safe string[3..4] = "<b>He</b>" "<p><b>He</b>llo</p>" Correct way: string = "<p>Hello</p>".html_safe string[3..4] = "<b>He</b>".html_safe "<p><b>He</b>llo</p>"

Fix HTML escaping in StringRangeMarker
Rails now handles html_safe when using string ranges to replace text. We need to mark the replacement text as HTML-safe so that it doesn't get escaped when it gets inserted into the HTML-safe string. Example: string = "<p>Hello</p>".html_safe string[3..4] = "<b>He</b>" "<p><b>He</b>llo</p>" Correct way: string = "<p>Hello</p>".html_safe string[3..4] = "<b>He</b>".html_safe "<p><b>He</b>llo</p>"
5dfddb5f · Heinrich Lee Yu · b98072f4 · 5dfddb5f · 5dfddb5f · 5dfddb5f
Commit 5dfddb5f authored Nov 15, 2019 by Heinrich Lee Yu
6 changed files
--- a/lib/banzai/filter/autolink_filter.rb
+++ b/lib/banzai/filter/autolink_filter.rb
@@ -121,7 +121,7 @@ module Banzai

      def autolink_filter(text)
        Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_PATTERN) do |link, left:, right:|
-          autolink_match(link)
+          autolink_match(link).html_safe
        end
      end


--- a/lib/banzai/filter/spaced_link_filter.rb
+++ b/lib/banzai/filter/spaced_link_filter.rb
@@ -77,7 +77,7 @@ module Banzai

      def spaced_link_filter(text)
        Gitlab::StringRegexMarker.new(CGI.unescapeHTML(text), text.html_safe).mark(LINK_OR_IMAGE_PATTERN) do |link, left:, right:|
-          spaced_link_match(link)
+          spaced_link_match(link).html_safe
        end
      end


--- a/lib/gitlab/dependency_linker/base_linker.rb
+++ b/lib/gitlab/dependency_linker/base_linker.rb
@@ -62,7 +62,7 @@ module Gitlab
      end

      def link_tag(name, url)
-        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}
+        %{<a href="#{ERB::Util.html_escape_once(url)}" rel="nofollow noreferrer noopener" target="_blank">#{ERB::Util.html_escape_once(name)}</a>}.html_safe
      end

      # Links package names based on regex.

--- a/lib/gitlab/diff/inline_diff_marker.rb
+++ b/lib/gitlab/diff/inline_diff_marker.rb
@@ -9,7 +9,7 @@ module Gitlab

      def mark(line_inline_diffs, mode: nil)
        super(line_inline_diffs) do |text, left:, right:|
-          %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}
+          %{<span class="#{html_class_names(left, right, mode)}">#{text}</span>}.html_safe
        end
      end


--- a/spec/lib/gitlab/string_range_marker_spec.rb
+++ b/spec/lib/gitlab/string_range_marker_spec.rb
@@ -9,7 +9,7 @@ describe Gitlab::StringRangeMarker do
      inline_diffs = [2..5]

      described_class.new(raw, rich).mark(inline_diffs) do |text, left:, right:|
-        "LEFT#{text}RIGHT"
+        "LEFT#{text}RIGHT".html_safe
      end
    end


--- a/spec/lib/gitlab/string_regex_marker_spec.rb
+++ b/spec/lib/gitlab/string_regex_marker_spec.rb
@@ -10,7 +10,7 @@ describe Gitlab::StringRegexMarker do

      subject do
        described_class.new(raw, rich).mark(/"[^"]+":\s*"(?<name>[^"]+)"/, group: :name) do |text, left:, right:|
-          %{<a href="#">#{text}</a>}
+          %{<a href="#">#{text}</a>}.html_safe
        end
      end

@@ -26,7 +26,7 @@ describe Gitlab::StringRegexMarker do

      subject do
        described_class.new(raw, rich).mark(/<[a-z]>/) do |text, left:, right:|
-          %{<strong>#{text}</strong>}
+          %{<strong>#{text}</strong>}.html_safe
        end
      end