1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
From ea4bf1eba4b680159a873aa468364826f4d13385 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Mon, 18 Sep 2023 08:06:48 +0000
Subject: [PATCH] Merged r22302 and r22303 from trunk to 5.0-stable (#38807).
git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@22304 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
lib/redmine/wiki_formatting/textile/redcloth3.rb | 8 ++++----
test/helpers/application_helper_test.rb | 5 +++--
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb
index c292926a548..9062fca0d87 100644
--- a/lib/redmine/wiki_formatting/textile/redcloth3.rb
+++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb
@@ -841,7 +841,7 @@ def inline_textile_link( text )
end
url = htmlesc(url.dup)
- next all if url.downcase.start_with?('javascript:')
+ next all unless uri_with_link_safe_scheme?(url)
atts = pba(atts)
atts = +" href=\"#{url}#{slash}\"#{atts}"
@@ -965,7 +965,7 @@ def inline_textile_image( text )
next m unless uri_with_safe_scheme?(url.partition('?').first)
if href
href = htmlesc(href.dup)
- next m if href.downcase.start_with?('javascript:')
+ next m unless uri_with_link_safe_scheme?(href)
end
out = +''
@@ -1214,9 +1214,9 @@ def escape_html_tags(text)
all, tag, close = $1, $2, $3
if close.present? && (ALLOWED_TAGS.include?(tag) || (tag =~ /\Aredpre#\d+\z/))
- "<#{all}#{close}"
+ "<#{htmlesc all}#{close}"
else
- "<#{all}#{'>' unless close.blank?}"
+ "<#{htmlesc all}#{'>' unless close.blank?}"
end
end
end
diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
index 641c9373b87..d5692446338 100644
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -1294,12 +1294,13 @@ def test_wiki_links_anchor_option_should_prepend_page_title_to_href
def test_html_tags
to_test = {
"<div>content</div>" => "<p><div>content</div></p>",
- "<div class=\"bold\">content</div>" => "<p><div class=\"bold\">content</div></p>",
+ "<div class=\"bold\">content</div>" => "<p><div class="bold">content</div></p>",
"<script>some script;</script>" => "<p><script>some script;</script></p>",
# do not escape pre/code tags
"<pre>\nline 1\nline2</pre>" => "<pre>\nline 1\nline2</pre>",
"<pre><code>\nline 1\nline2</code></pre>" => "<pre><code>\nline 1\nline2</code></pre>",
- "<pre><div>content</div></pre>" => "<pre><div>content</div></pre>",
+ "<pre><div class=\"foo\">content</div></pre>" => "<pre><div class=\"foo\">content</div></pre>",
+ "<pre><div class=\"<foo\">content</div></pre>" => "<pre><div class=\"<foo\">content</div></pre>",
"<!-- opening comment" => "<p><!-- opening comment</p>",
# remove attributes including class
"<pre class='foo'>some text</pre>" => "<pre>some text</pre>",
|
