Fix username escaping when clicking 'assign to me'

Add spec for assigning user with apostrophe in name

Fix username escaping when clicking 'assign to me'
Add spec for assigning user with apostrophe in name
6c199005 · Ezekiel Kigbo · Fatih Acet · b64e261b · 6c199005 · 6c199005
Commit 6c199005 authored Mar 04, 2019 by Ezekiel Kigbo Committed by Fatih Acet Mar 04, 2019
3 changed files
--- a/app/assets/javascripts/users_select.js
+++ b/app/assets/javascripts/users_select.js
@@ -93,23 +93,22 @@ function UsersSelect(currentUser, els, options = {}) {
          }
          // Save current selected user to the DOM
-          const input = document.createElement('input');
+          const currentUserInfo = $dropdown.data('currentUserInfo') || {};
-          input.type = 'hidden';
+          const currentUser = _this.currentUser || {};
-          input.name = $dropdown.data('fieldName');
+          const fieldName = $dropdown.data('fieldName');
+          const userName = currentUserInfo.name;
-          const currentUserInfo = $dropdown.data('currentUserInfo');
+          const userId = currentUserInfo.id || currentUser.id;
-          if (currentUserInfo) {
+          const inputHtmlString = _.template(`
-            input.value = currentUserInfo.id;
+            <input type="hidden" name="<%- fieldName %>"
-            input.dataset.meta = _.escape(currentUserInfo.name);
+              data-meta="<%- userName %>"
-          } else if (_this.currentUser) {
+              value="<%- userId %>" />
-            input.value = _this.currentUser.id;
+            `)({ fieldName, userName, userId });
-          }
          if ($selectbox) {
-            $dropdown.parent().before(input);
+            $dropdown.parent().before(inputHtmlString);
          } else {
-            $dropdown.after(input);
+            $dropdown.after(inputHtmlString);
          }
        };

--- a/changelogs/unreleased/37673-minor-issue-with-apostrophe-single-quote-when-clicking-assign-to-me.yml
+++ b/changelogs/unreleased/37673-minor-issue-with-apostrophe-single-quote-when-clicking-assign-to-me.yml
+---
+title: Fix username escaping when using assign to me for issues
+merge_request: 24673
+author:
+type: fixed
--- a/spec/features/issues/user_creates_issue_spec.rb
+++ b/spec/features/issues/user_creates_issue_spec.rb
@@ -93,4 +93,22 @@ describe "User creates issue" do
      end
    end
  end
+  context "when signed in as user with special characters in their name" do
+    let(:user_special) { create(:user, name: "Jon O'Shea") }
+    before do
+      project.add_developer(user_special)
+      sign_in(user_special)
+      visit(new_project_issue_path(project))
+    end
+    it "will correctly escape user names with an apostrophe when clicking 'Assign to me'", :js do
+      first('.assign-to-me-link').click
+      expect(page).to have_content(user_special.name)
+      expect(page.find('input[name="issue[assignee_ids][]"]', visible: false)['data-meta']).to eq(user_special.name)
+    end
+  end
 end