From 9fa8f63d25a1bd1b2ce17c5dc610680aefa290fe Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Fri, 29 Apr 2016 18:43:57 -0400 Subject: [PATCH] Fixed improper Markdown escaping for some tooltips --- ChangeLog | 1 + app/Helper/TextHelper.php | 12 ++++++++++++ app/Template/app/projects.php | 2 +- app/Template/board/table_column.php | 2 +- app/Template/board/task_footer.php | 4 ++-- app/Template/column/index.php | 2 +- app/Template/header.php | 2 +- app/Template/project/index.php | 2 +- app/Template/project/show.php | 2 +- app/Template/swimlane/table.php | 2 +- tests/units/Helper/TextHelperTest.php | 8 ++++++++ 11 files changed, 30 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3246ec9884..d109c1981d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,7 @@ Improvements: Bug fixes: +* Fixed improper Markdown escaping for some tooltips * Closing all tasks by column, also update closed tasks * Fixed wrong task link generation within Markdown text * Fixed wrong URL on comment toggle link for sorting diff --git a/app/Helper/TextHelper.php b/app/Helper/TextHelper.php index 97b12c49d1..654eb171c9 100644 --- a/app/Helper/TextHelper.php +++ b/app/Helper/TextHelper.php @@ -38,6 +38,18 @@ public function markdown($text, $isPublicLink = false) return $parser->text($text); } + /** + * Escape Markdown text that need to be stored in HTML attribute + * + * @access public + * @param string $text + * @return mixed + */ + public function markdownAttribute($text) + { + return htmlentities($this->markdown($text), ENT_QUOTES, 'UTF-8'); + } + /** * Format a file size * diff --git a/app/Template/app/projects.php b/app/Template/app/projects.php index 4ab8b1065f..733a108d6c 100644 --- a/app/Template/app/projects.php +++ b/app/Template/app/projects.php @@ -31,7 +31,7 @@ url->link($this->text->e($project['name']), 'board', 'show', array('project_id' => $project['id'])) ?> - '> + diff --git a/app/Template/board/table_column.php b/app/Template/board/table_column.php index 48538c88bc..24abdf9995 100644 --- a/app/Template/board/table_column.php +++ b/app/Template/board/table_column.php @@ -47,7 +47,7 @@ - '> +   diff --git a/app/Template/board/task_footer.php b/app/Template/board/task_footer.php index a9d381a30f..dd154140e8 100644 --- a/app/Template/board/task_footer.php +++ b/app/Template/board/task_footer.php @@ -11,7 +11,7 @@ array('task_id' => $task['id'], 'project_id' => $task['project_id']), false, 'popover' . (! empty($task['category_description']) ? ' tooltip' : ''), - ! empty($task['category_description']) ? $this->text->markdown($task['category_description']) : t('Change category') + ! empty($task['category_description']) ? $this->text->markdownAttribute($task['category_description']) : t('Change category') ) ?> @@ -76,7 +76,7 @@ - + hook->render('template:board:task:icons', array('task' => $task)) ?> task->formatPriority($project, $task) ?> diff --git a/app/Template/column/index.php b/app/Template/column/index.php index eef176f30f..6bc67c5aa8 100644 --- a/app/Template/column/index.php +++ b/app/Template/column/index.php @@ -28,7 +28,7 @@ class="columns-table table-stripped" text->e($column['title']) ?> - '> + diff --git a/app/Template/header.php b/app/Template/header.php index a8fd47f296..3885e6717e 100644 --- a/app/Template/header.php +++ b/app/Template/header.php @@ -8,7 +8,7 @@ text->e($title) ?> - + diff --git a/app/Template/project/index.php b/app/Template/project/index.php index 10d4aaa289..0194672a59 100644 --- a/app/Template/project/index.php +++ b/app/Template/project/index.php @@ -49,7 +49,7 @@ - '> + diff --git a/app/Template/project/show.php b/app/Template/project/show.php index 42eeec4d42..4aba49194e 100644 --- a/app/Template/project/show.php +++ b/app/Template/project/show.php @@ -63,7 +63,7 @@ text->e($column['title']) ?> - '> + diff --git a/app/Template/swimlane/table.php b/app/Template/swimlane/table.php index 17be692478..ec3cb62108 100644 --- a/app/Template/swimlane/table.php +++ b/app/Template/swimlane/table.php @@ -45,7 +45,7 @@ class="swimlanes-table table-stripped" text->e($swimlane['name']) ?> - '> + diff --git a/tests/units/Helper/TextHelperTest.php b/tests/units/Helper/TextHelperTest.php index c6b55d0e48..2787abf231 100644 --- a/tests/units/Helper/TextHelperTest.php +++ b/tests/units/Helper/TextHelperTest.php @@ -51,6 +51,14 @@ public function testMarkdownUserLink() $this->assertEquals('

Text @admin @notfound

', $h->markdown('Text @admin @notfound', true)); } + public function testMarkdownAttribute() + { + $helper = new TextHelper($this->container); + $this->assertEquals('<p>Ça marche</p>', $helper->markdownAttribute('Ça marche')); + $this->assertEquals('<p>Test with &quot;double quotes&quot;</p>', $helper->markdownAttribute('Test with "double quotes"')); + $this->assertEquals('<p>Test with 'single quotes'</p>', $helper->markdownAttribute("Test with 'single quotes'")); + } + public function testFormatBytes() { $h = new TextHelper($this->container);