Merge branch 'label-dropdown-encode' into 'master'

Fixed escaping issue with labels filter ## What does this MR do? Encodes label names to stop any JS errors. ## What are the relevant issue numbers? Closes #15552 See merge request !6123

Merge branch 'label-dropdown-encode' into 'master'
Fixed escaping issue with labels filter ## What does this MR do? Encodes label names to stop any JS errors. ## What are the relevant issue numbers? Closes #15552 See merge request !6123
e609bf33 · Fatih Acet · Ruben Davila · 978a5a6e · e609bf33 · e609bf33
Commit e609bf33 authored Aug 31, 2016 by Fatih Acet Committed by Ruben Davila Aug 31, 2016
4 changed files
--- a/app/assets/javascripts/gl_dropdown.js
+++ b/app/assets/javascripts/gl_dropdown.js
@@ -556,7 +556,7 @@
      if (isInput) {
        field = $(this.el);
      } else {
-        field = this.dropdown.parent().find("input[name='" + fieldName + "'][value='" + value + "']");
+        field = this.dropdown.parent().find("input[name='" + fieldName + "'][value='" + escape(value) + "']");
      }
      if (el.hasClass(ACTIVE_CLASS)) {
        el.removeClass(ACTIVE_CLASS);

--- a/app/assets/javascripts/labels_select.js
+++ b/app/assets/javascripts/labels_select.js
@@ -164,7 +164,7 @@
                instance.addInput(this.fieldName, label.id);
              }
            }
-            if ($form.find("input[type='hidden'][name='" + ($dropdown.data('fieldName')) + "'][value='" + (this.id(label)) + "']").length) {
+            if ($form.find("input[type='hidden'][name='" + ($dropdown.data('fieldName')) + "'][value='" + escape(this.id(label)) + "']").length) {
              selectedClass.push('is-active');
            }
            if ($dropdown.hasClass('js-multiselect') && removesAll) {

--- a/app/views/shared/issuable/_label_dropdown.html.haml
+++ b/app/views/shared/issuable/_label_dropdown.html.haml
@@ -12,7 +12,7 @@
 - if params[:label_name].present?
  - if params[:label_name].respond_to?('any?')
    - params[:label_name].each do |label|
-      = hidden_field_tag "label_name[]", label, id: nil
+      = hidden_field_tag "label_name[]", u(label), id: nil
 .dropdown
  %button.dropdown-menu-toggle.js-label-select.js-multiselect{class: classes.join(' '), type: "button", data: dropdown_data}
    %span.dropdown-toggle-text

--- a/spec/features/issues/filter_issues_spec.rb
+++ b/spec/features/issues/filter_issues_spec.rb
@@ -8,6 +8,7 @@ describe 'Filter issues', feature: true do
  let!(:milestone) { create(:milestone, project: project) }
  let!(:label)     { create(:label, project: project) }
  let!(:issue1)    { create(:issue, project: project) }
+  let!(:wontfix)   { create(:label, project: project, title: "Won't fix") }

  before do
    project.team << [user, :master]
@@ -107,6 +108,15 @@ describe 'Filter issues', feature: true do
      end
      expect(find('.js-label-select .dropdown-toggle-text')).to have_content(label.title)
    end
+
+    it 'filters by wont fix labels' do
+      find('.dropdown-menu-labels a', text: label.title).click
+      page.within '.labels-filter' do
+        expect(page).to have_content wontfix.title
+        click_link wontfix.title
+      end
+      expect(find('.js-label-select .dropdown-toggle-text')).to have_content(wontfix.title)
+    end
  end

  describe 'Filter issues for assignee and label from issues#index' do