Commit 0c2bb8d1 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch 'issue_15394' into 'master'

Sanitize milestones and labels titles

fixes #15394 

See merge request !4046
parents 8dd2188b 32811d98
......@@ -21,6 +21,7 @@ v 8.8.0 (unreleased)
- Update SVG sanitizer to conform to SVG 1.1
- Updated search UI
- Display informative message when new milestone is created
- Sanitize milestones and labels titles
- Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea)
- Added button to toggle whitespaces changes on diff view
- Backport GitHub Enterprise import support from EE
......
......@@ -117,6 +117,10 @@ class Label < ActiveRecord::Base
LabelsHelper::text_color_for_bg(self.color)
end
def title=(value)
write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
end
private
def label_format_reference(format = :id)
......
......@@ -129,6 +129,10 @@ class Milestone < ActiveRecord::Base
nil
end
def title=(value)
write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
end
# Sorts the issues for the given IDs.
#
# This method runs a single SQL query using a CASE statement to update the
......
......@@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
milestone.update_attribute(:title, %{"></a>whatever<a title="})
doc = reference_filter("milestone #{reference}")
expect(doc.text).to eq "milestone #{milestone.title}"
expect(doc.text).to eq "milestone \">whatever"
end
it 'includes default classes' do
......
......@@ -55,6 +55,14 @@ describe Label, models: true do
end
end
describe "#title" do
let(:label) { create(:label, title: "<b>test</b>") }
it "sanitizes title" do
expect(label.title).to eq("test")
end
end
describe '#to_reference' do
context 'using id' do
it 'returns a String reference to the object' do
......
......@@ -34,6 +34,14 @@ describe Milestone, models: true do
let(:issue) { create(:issue) }
let(:user) { create(:user) }
describe "#title" do
let(:milestone) { create(:milestone, title: "<b>test</b>") }
it "sanitizes title" do
expect(milestone.title).to eq("test")
end
end
describe "unique milestone title per project" do
it "shouldn't accept the same title in a project twice" do
new_milestone = Milestone.new(project: milestone.project, title: milestone.title)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment