Merge branch 'release-v1.5.2' into stable-1.x

chiliproject · Aug 1, 2011 · 3f51825 · 3f51825
2 parents 9851ca9 + 3b86ace
commit 3f51825
Show file tree

Hide file tree

Showing 65 changed files with 110 additions and 106 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -111,7 +111,7 @@ def link_to_revision(revision, project, options={})
     text = options.delete(:text) || format_revision(revision)
     rev = revision.respond_to?(:identifier) ? revision.identifier : revision
 
-    link_to(text, {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
+    link_to(h(text), {:controller => 'repositories', :action => 'revision', :id => project, :rev => rev},
             :title => l(:label_revision_id, format_revision(revision)))
   end
 
@@ -421,7 +421,7 @@ def page_header_title
   def html_title(*args)
     if args.empty?
       title = []
-      title << @project.name if @project
+      title << h(@project.name) if @project
       title += @html_title if @html_title
       title << Setting.app_title
       title.select {|t| !t.blank? }.join(' - ')
@@ -572,7 +572,7 @@ def parse_wiki_links(text, project, obj, attr, only_path, options)
               wiki_page_id = page.present? ? Wiki.titleize(page) : nil
               url_for(:only_path => only_path, :controller => 'wiki', :action => 'show', :project_id => link_project, :id => wiki_page_id, :anchor => anchor)
             end
-          link_to((title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
+          link_to(h(title || page), url, :class => ('wiki-page' + (wiki_page ? '' : ' new')))
         else
           # project or wiki doesn't exist
           all
@@ -626,7 +626,7 @@ def parse_redmine_links(text, project, obj, attr, only_path, options)
         if prefix.nil? && sep == 'r'
           # project.changesets.visible raises an SQL error because of a double join on repositories
           if project && project.repository && (changeset = Changeset.visible.find_by_repository_id_and_revision(project.repository.id, identifier))
-            link = link_to("#{project_prefix}r#{identifier}", {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
+            link = link_to(h("#{project_prefix}r#{identifier}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.revision},
                                       :class => 'changeset',
                                       :title => truncate_single_line(changeset.comments, :length => 100))
           end
@@ -676,7 +676,7 @@ def parse_redmine_links(text, project, obj, attr, only_path, options)
             if project && project.repository && (changeset = Changeset.visible.find(:first, :conditions => ["repository_id = ? AND scmid LIKE ?", project.repository.id, "#{name}%"]))
               link = link_to h("#{project_prefix}#{name}"), {:only_path => only_path, :controller => 'repositories', :action => 'revision', :id => project, :rev => changeset.identifier},
                                            :class => 'changeset',
-                                           :title => truncate_single_line(changeset.comments, :length => 100)
+                                           :title => truncate_single_line(h(changeset.comments), :length => 100)
             end
           when 'source', 'export'
             if project && project.repository && User.current.allowed_to?(:browse_repository, project)
@@ -842,7 +842,7 @@ def context_menu_link(name, url, options={})
       options[:class] << ' disabled'
       url = '#'
     end
-    link_to name, url, options
+    link_to h(name), url, options
   end
 
   def calendar_for(field_id)

diff --git a/app/helpers/calendars_helper.rb b/app/helpers/calendars_helper.rb
@@ -36,7 +36,7 @@ def link_to_month(link_name, year, month, options={})
 
     link_target = calendar_path(:year => year, :month => month, :project_id => project_id)
 
-    link_to_remote(link_name,
+    link_to_remote(h(link_name),
                    {:update => "content", :url => link_target, :method => :put},
                    {:href => link_target})
 

diff --git a/app/helpers/custom_fields_helper.rb b/app/helpers/custom_fields_helper.rb
@@ -57,7 +57,7 @@ def custom_field_tag(name, custom_value)
 
   # Return custom field label tag
   def custom_field_label_tag(name, custom_value)
-    content_tag "label", custom_value.custom_field.name +
+    content_tag "label", h(custom_value.custom_field.name) +
 	(custom_value.custom_field.is_required? ? " <span class=\"required\">*</span>" : ""),
 	:for => "#{name}_custom_field_values_#{custom_value.custom_field.id}",
 	:class => (custom_value.errors.empty? ? nil : "error" )

diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb
@@ -48,11 +48,11 @@ def render_issue_tooltip(issue)
 
     link_to_issue(issue) + "<br /><br />" +
       "<strong>#{@cached_label_project}</strong>: #{link_to_project(issue.project)}<br />" +
-      "<strong>#{@cached_label_status}</strong>: #{issue.status.name}<br />" +
+      "<strong>#{@cached_label_status}</strong>: #{h(issue.status.name)}<br />" +
       "<strong>#{@cached_label_start_date}</strong>: #{format_date(issue.start_date)}<br />" +
       "<strong>#{@cached_label_due_date}</strong>: #{format_date(issue.due_date)}<br />" +
-      "<strong>#{@cached_label_assigned_to}</strong>: #{issue.assigned_to}<br />" +
-      "<strong>#{@cached_label_priority}</strong>: #{issue.priority.name}"
+      "<strong>#{@cached_label_assigned_to}</strong>: #{h(issue.assigned_to)}<br />" +
+      "<strong>#{@cached_label_priority}</strong>: #{h(issue.priority.name)}"
   end
 
   def render_issue_subject_with_tree(issue)

diff --git a/app/helpers/queries_helper.rb b/app/helpers/queries_helper.rb
@@ -23,8 +23,8 @@ def operators_for_select(filter_type)
 
   def column_header(column)
     column.sortable ? sort_header_tag(column.name.to_s, :caption => column.caption,
-                                                        :default_order => column.default_order) : 
-                      content_tag('th', column.caption)
+                                                        :default_order => column.default_order) :
+                      content_tag('th', h(column.caption))
   end
 
   def column_content(column, issue)
@@ -45,7 +45,7 @@ def column_content(column, issue)
       if column.name == :done_ratio
         progress_bar(value, :width => '80px')
       else
-        value.to_s
+        h(value.to_s)
       end
     when 'User'
       link_to_user value

diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb
@@ -31,6 +31,6 @@ def aggregate(data, criteria)
 
   def aggregate_link(data, criteria, *args)
     a = aggregate data, criteria
-    a > 0 ? link_to(a, *args) : '-'
-  end  
+    a > 0 ? link_to(h(a), *args) : '-'
+  end
 end
diff --git a/app/helpers/repositories_helper.rb b/app/helpers/repositories_helper.rb
@@ -87,7 +87,7 @@ def render_changes_tree(tree)
       if s = tree[file][:s]
         style << ' folder'
         path_param = to_path_param(@repository.relative_path(file))
-        text = link_to(text, :controller => 'repositories',
+        text = link_to(h(text), :controller => 'repositories',
                              :action => 'show',
                              :id => @project,
                              :path => path_param,
@@ -97,18 +97,18 @@ def render_changes_tree(tree)
       elsif c = tree[file][:c]
         style << " change-#{c.action}"
         path_param = to_path_param(@repository.relative_path(c.path))
-        text = link_to(text, :controller => 'repositories',
+        text = link_to(h(text), :controller => 'repositories',
                              :action => 'entry',
                              :id => @project,
                              :path => path_param,
                              :rev => @changeset.identifier) unless c.action == 'D'
-        text << " - #{c.revision}" unless c.revision.blank?
+        text << " - #{h(c.revision)}" unless c.revision.blank?
         text << ' (' + link_to('diff', :controller => 'repositories',
                                        :action => 'diff',
                                        :id => @project,
                                        :path => path_param,
                                        :rev => @changeset.identifier) + ') ' if c.action == 'M'
-        text << ' ' + content_tag('span', c.from_path, :class => 'copied-from') unless c.from_path.blank?
+        text << ' ' + content_tag('span', h(c.from_path), :class => 'copied-from') unless c.from_path.blank?
         output << "<li class='#{style}'>#{text}</li>"
       end
     end

diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb
@@ -57,7 +57,7 @@ def render_results_by_type(results_by_type)
       c = results_by_type[t]
       next if c == 0
       text = "#{type_label(t)} (#{c})"
-      links << link_to(text, :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
+      links << link_to(h(text), :q => params[:q], :titles_only => params[:title_only], :all_words => params[:all_words], :scope => params[:scope], t => 1)
     end
     ('<ul>' + links.map {|link| content_tag('li', link)}.join(' ') + '</ul>') unless links.empty?
   end

diff --git a/app/helpers/sort_helper.rb b/app/helpers/sort_helper.rb
@@ -206,7 +206,7 @@ def sort_link(column, caption, default_order)
      # Add project_id to url_options
     url_options = url_options.merge(:project_id => params[:project_id]) if params.has_key?(:project_id)
 
-    link_to_remote(caption,
+    link_to_remote(h(caption),
                   {:update => "content", :url => url_options, :method => :get},
                   {:href => url_for(url_options),
                    :class => css})

diff --git a/app/helpers/timelog_helper.rb b/app/helpers/timelog_helper.rb
@@ -129,7 +129,7 @@ def format_criteria_value(criteria, value)
     elsif k = @available_criterias[criteria][:klass]
       obj = k.find_by_id(value.to_i)
       if obj.is_a?(Issue)
-        obj.visible? ? "#{obj.tracker} ##{obj.id}: #{obj.subject}" : "##{obj.id}"
+        obj.visible? ? h("#{obj.tracker} ##{obj.id}: #{obj.subject}") : h("##{obj.id}")
       else
         obj
       end

diff --git a/app/views/activities/index.html.erb b/app/views/activities/index.html.erb
@@ -12,7 +12,7 @@
   <%= content_tag('span', h(e.project), :class => 'project') if @project.nil? || @project != e.project %>
   <%= link_to format_activity_title(e.event_title), e.event_url %></dt>
   <dd><span class="description"><%= format_activity_description(e.event_description) %></span>
-  <span class="author"><%= e.event_author if e.respond_to?(:event_author) %></span></dd>
+  <span class="author"><%= link_to_user(e.event_author) if e.respond_to?(:event_author) %></span></dd>
 <% end -%>
 </dl>
 <% end -%>

diff --git a/app/views/attachments/_links.rhtml b/app/views/attachments/_links.rhtml
@@ -11,7 +11,7 @@
                                          :title => l(:button_delete) %>
   <% end %>
   <% if options[:author] %>
-    <span class="author"><%= attachment.author %>, <%= format_time(attachment.created_on) %></span>
+    <span class="author"><%= h(attachment.author) %>, <%= format_time(attachment.created_on) %></span>
   <% end %>
   </p>
 <% end %>

diff --git a/app/views/attachments/diff.rhtml b/app/views/attachments/diff.rhtml
@@ -2,15 +2,15 @@
 
 <div class="attachments">
 <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
-   <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+   <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
 <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
    <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
 
 </div>
 &nbsp;
 <%= render :partial => 'common/diff', :locals => {:diff => @diff, :diff_type => @diff_type} %>
 
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
 
 <% content_for :header_tags do -%>
     <%= stylesheet_link_tag "scm" -%>

diff --git a/app/views/attachments/file.rhtml b/app/views/attachments/file.rhtml
@@ -2,15 +2,15 @@
 
 <div class="attachments">
 <p><%= h("#{@attachment.description} - ") unless @attachment.description.blank? %>
-   <span class="author"><%= @attachment.author %>, <%= format_time(@attachment.created_on) %></span></p>
+   <span class="author"><%= link_to_user(@attachment.author) %>, <%= format_time(@attachment.created_on) %></span></p>
 <p><%= link_to_attachment @attachment, :text => l(:button_download), :download => true -%>
    <span class="size">(<%= number_to_human_size @attachment.filesize %>)</span></p>
 
 </div>
 &nbsp;
 <%= render :partial => 'common/file', :locals => {:content => @content, :filename => @attachment.filename} %>
 
-<% html_title @attachment.filename %>
+<% html_title h(@attachment.filename) %>
 
 <% content_for :header_tags do -%>
     <%= stylesheet_link_tag "scm" -%>

diff --git a/app/views/auth_sources/edit.rhtml b/app/views/auth_sources/edit.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
 
 <% form_tag({:action => 'update', :id => @auth_source}, :class => "tabular") do %>
   <%= render :partial => 'form' %>

diff --git a/app/views/auth_sources/new.rhtml b/app/views/auth_sources/new.rhtml
@@ -1,4 +1,4 @@
-<h2><%=l(:label_auth_source_new)%> (<%= @auth_source.auth_method_name %>)</h2>
+<h2><%=l(:label_auth_source_new)%> (<%= h(@auth_source.auth_method_name) %>)</h2>
 
 <% form_tag({:action => 'create'}, :class => "tabular") do %>
   <%= render :partial => 'form' %>

diff --git a/app/views/boards/show.rhtml b/app/views/boards/show.rhtml
@@ -43,7 +43,7 @@
   <% @topics.each do |topic| %>
     <tr class="message <%= cycle 'odd', 'even' %> <%= topic.sticky? ? 'sticky' : '' %> <%= topic.locked? ? 'locked' : '' %>">
       <td class="subject"><%= link_to h(topic.subject), { :controller => 'messages', :action => 'show', :board_id => @board, :id => topic } %></td>
-      <td class="author" align="center"><%= topic.author %></td>
+      <td class="author" align="center"><%= link_to_user(topic.author) %></td>
       <td class="created_on" align="center"><%= format_time(topic.created_on) %></td>
       <td class="replies" align="center"><%= topic.replies_count %></td>
       <td class="last_message">

diff --git a/app/views/common/_diff.rhtml b/app/views/common/_diff.rhtml
@@ -4,7 +4,7 @@
 <% if diff_type == 'sbs' -%>
 <table class="filecontent">
 <thead>
-<tr><th colspan="4" class="filename"><%=to_utf8 table_file.file_name %></th></tr>
+<tr><th colspan="4" class="filename"><%=h(to_utf8(table_file.file_name)) %></th></tr>
 </thead>
 <tbody>
 <% prev_line_left, prev_line_right = nil, nil -%>
@@ -31,7 +31,7 @@
 <% else -%>
 <table class="filecontent syntaxhl">
 <thead>
-<tr><th colspan="3" class="filename"><%=to_utf8 table_file.file_name %></th></tr>
+<tr><th colspan="3" class="filename"><%= h(to_utf8(table_file.file_name)) %></th></tr>
 </thead>
 <tbody>
 <% prev_line_left, prev_line_right = nil, nil -%>

diff --git a/app/views/common/error.html.erb b/app/views/common/error.html.erb
@@ -1,6 +1,6 @@
-<h2><%=h @status %></h2>
-
-<p id="errorExplanation"><%=h @message %></p>
-<p><a href="javascript:history.back()">Back</a></p>
-
-<% html_title @status %>
+<h2><%=h @status %></h2>
+
+<p id="errorExplanation"><%=h @message %></p>
+<p><a href="javascript:history.back()">Back</a></p>
+
+<% html_title h(@status) %>
diff --git a/app/views/custom_fields/_form.rhtml b/app/views/custom_fields/_form.rhtml
@@ -74,7 +74,7 @@ when "IssueCustomField" %>
 
     <fieldset><legend><%=l(:label_tracker_plural)%></legend>
     <% for tracker in @trackers %>
-        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= tracker.name %>
+        <%= check_box_tag "custom_field[tracker_ids][]", tracker.id, (@custom_field.trackers.include? tracker) %> <%= h(tracker.name) %>
     <% end %>
 		<%= hidden_field_tag "custom_field[tracker_ids][]", '' %>
     </fieldset>

diff --git a/app/views/custom_fields/_index.rhtml b/app/views/custom_fields/_index.rhtml
@@ -13,7 +13,7 @@
   <tbody>
 	<% (@custom_fields_by_type[tab[:name]] || []).sort.each do |custom_field| -%>
 		<tr class="<%= cycle("odd", "even") %>">
-			<td><%= link_to custom_field.name, :action => 'edit', :id => custom_field %></td>
+			<td><%= link_to h(custom_field.name), :action => 'edit', :id => custom_field %></td>
 			<td align="center"><%= l(Redmine::CustomFieldFormat.label_for(custom_field.field_format)) %></td>
 			<td align="center"><%= checked_image custom_field.is_required? %></td>
 			<% if tab[:name] == 'IssueCustomField' %>

diff --git a/app/views/documents/show.rhtml b/app/views/documents/show.rhtml
@@ -25,7 +25,7 @@
   <% end %> 
 <% end %>
 
-<% html_title @document.title -%>
+<% html_title h(@document.title) -%>
 
 <% content_for :header_tags do %>
     <%= stylesheet_link_tag 'scm' %>

diff --git a/app/views/gantts/show.html.erb b/app/views/gantts/show.html.erb
@@ -101,7 +101,7 @@ height = (show_weeks ? header_heigth : header_heigth + g_height)
 	width = ((month_f >> 1) - month_f) * zoom - 1
 	%>
 	<div style="left:<%= left %>px;width:<%= width %>px;height:<%= height %>px;" class="gantt_hdr">
-	<%= link_to "#{month_f.year}-#{month_f.month}", @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
+	<%= link_to h("#{month_f.year}-#{month_f.month}"), @gantt.params.merge(:year => month_f.year, :month => month_f.month), :title => "#{month_name(month_f.month)} #{month_f.year}"%>
 	</div>
 	<% 
 	left = left + width + 1

diff --git a/app/views/issue_statuses/index.html.erb b/app/views/issue_statuses/index.html.erb
@@ -19,7 +19,7 @@
   <tbody>  
 <% for status in @issue_statuses %>
   <tr class="<%= cycle("odd", "even") %>">
-  <td><%= link_to status.name, :action => 'edit', :id => status %></td>
+  <td><%= link_to h(status.name), :action => 'edit', :id => status %></td>
   <% if Issue.use_status_for_done_ratio? %>
   <td align="center"><%= h status.default_done_ratio %></td>
   <% end %>

diff --git a/app/views/issues/_attributes.rhtml b/app/views/issues/_attributes.rhtml
@@ -4,7 +4,7 @@
 <% if @issue.new_record? || @allowed_statuses.any? %>
 <p><%= f.select :status_id, (@allowed_statuses.collect {|p| [p.name, p.id]}), :required => true %></p>
 <% else %>
-<p><label><%= l(:field_status) %></label> <%= @issue.status.name %></p>
+<p><label><%= l(:field_status) %></label> <%= h(@issue.status.name) %></p>
 <% end %>
 
 <p><%= f.select :priority_id, (@priorities.collect {|p| [p.name, p.id]}), {:required => true}, :disabled => !@issue.leaf? %></p>

diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml
@@ -9,10 +9,10 @@
 		</tr></thead>
 		<tbody>	
 		<% for issue in issues %>
-		<tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
+		<tr id="issue-<%= h(issue.id) %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %>">
 			<td class="id">
 			  <%= check_box_tag("ids[]", issue.id, false, :style => 'display:none;') %>
-				<%= link_to issue.id, :controller => 'issues', :action => 'show', :id => issue %>
+				<%= link_to(h(issue.id), :controller => 'issues', :action => 'show', :id => issue) %>
 			</td>
 			<td class="project"><%= link_to_project(issue.project) %></td>
 			<td class="tracker"><%=h issue.tracker %></td>

diff --git a/app/views/issues/_relations.rhtml b/app/views/issues/_relations.rhtml
@@ -14,7 +14,7 @@
     <%= h(relation.other_issue(@issue).project) + ' - ' if Setting.cross_project_issue_relations? %>
     <%= link_to_issue(relation.other_issue(@issue), :truncate => 60) %>
 </td>
-<td><%= relation.other_issue(@issue).status.name %></td>
+<td><%= h(relation.other_issue(@issue).status.name) %></td>
 <td><%= format_date(relation.other_issue(@issue).start_date) %></td>
 <td><%= format_date(relation.other_issue(@issue).due_date) %></td>
 <td><%= link_to_remote(image_tag('delete.png'), { :url => {:controller => 'issue_relations', :action => 'destroy', :issue_id => @issue, :id => relation},                                              

diff --git a/app/views/issues/index.rhtml b/app/views/issues/index.rhtml
@@ -6,7 +6,7 @@
 </div>
 
 <h2><%= @query.new_record? ? l(:label_issue_plural) : h(@query.name) %></h2>
-<% html_title(@query.new_record? ? l(:label_issue_plural) : @query.name) %>
+<% html_title(@query.new_record? ? l(:label_issue_plural) : h(@query.name)) %>
 
 <% form_tag({ :controller => 'queries', :action => 'new' }, :id => 'query_form') do %>
     <%= hidden_field_tag('project_id', @project.to_param) if @project %>

diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml
@@ -113,7 +113,7 @@
 	<%= f.link_to 'PDF' %>
 <% end %>
 
-<% html_title "#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}" %>
+<% html_title h("#{@issue.tracker.name} ##{@issue.id}: #{@issue.subject}") %>
 
 <% content_for :sidebar do %>
   <%= render :partial => 'issues/sidebar' %>

diff --git a/app/views/mailer/account_activated.text.html.rhtml b/app/views/mailer/account_activated.text.html.rhtml
@@ -1,2 +1,2 @@
 <p><%= l(:notice_account_activated) %></p>
-<p><%= l(:label_login) %>: <%= link_to @login_url, @login_url %></p>
+<p><%= l(:label_login) %>: <%= link_to h(@login_url), @login_url %></p>
diff --git a/app/views/mailer/account_activation_request.text.html.rhtml b/app/views/mailer/account_activation_request.text.html.rhtml
@@ -1,2 +1,2 @@
 <p><%= l(:mail_body_account_activation_request, h(@user.login)) %></p>
-<p><%= link_to @url, @url %></p>
+<p><%= link_to h(@url), @url %></p>
diff --git a/app/views/mailer/attachments_added.text.html.rhtml b/app/views/mailer/attachments_added.text.html.rhtml
@@ -1,4 +1,4 @@
-<%= link_to @added_to, @added_to_url %><br />
+<%= link_to h(@added_to), @added_to_url %><br />
 
 <ul><% @attachments.each do |attachment | %>
 <li><%=h attachment.filename %></li>

diff --git a/app/views/mailer/reminder.text.html.rhtml b/app/views/mailer/reminder.text.html.rhtml
@@ -2,7 +2,7 @@
 
 <ul>
 <% @issues.each do |issue| -%>
-  <li><%=h issue.project %> - <%=link_to("#{issue.tracker} ##{issue.id}", :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
+  <li><%=h issue.project %> - <%=link_to(h("#{issue.tracker} ##{issue.id}"), :controller => 'issues', :action => 'show', :id => issue, :only_path => false)%>: <%=h issue.subject %></li>
 <% end -%>
 </ul>