Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix double escaping of problem title in list view #791

Merged
merged 1 commit into from
Jan 6, 2015
Merged

Fix double escaping of problem title in list view #791

merged 1 commit into from
Jan 6, 2015

Conversation

felixbuenemann
Copy link
Contributor

Without this change, the truncated text, which is already html escaped gets escaped again in the map block.

@TeatroIO
Copy link

TeatroIO commented Jan 5, 2015

I've prepared a stage. Click to open.

@shingara
Copy link
Member

shingara commented Jan 5, 2015

Have you a failure example ? This PR can introduce some security issue too :(

@felixbuenemann
Copy link
Contributor Author

@shingara how can it introduce a security issue? The text is always escaped in the map block using the h helper. So because truncate already adds html escaping, content is escaped twice.
Eg. ' -> ' -> '

@shingara
Copy link
Member

shingara commented Jan 5, 2015

ok, you right.

@arthurnn
Copy link
Member

arthurnn commented Jan 6, 2015

Can you add a test case for this? thanks

@felixbuenemann
Fix double escaping of problem title in list view
1405d7e 
Also added a spec to test for double escaping which fails without the
changes to truncated_problem_message.
@felixbuenemann
Copy link
Contributor Author

OK, added a spec to check for double escaping that will fail without the changes:

Failures:

  1) ProblemsHelper#truncated_problem_message does not double escape html
     Failure/Error: expect(truncated).to_not include('&')
       expected "#<​NoMet​hodEr​ror: ​...&g​t;" not to include "&"
     # ./spec/helpers/problems_helper_spec.rb:16:in `block (3 levels) in <top (required)>'

You can test by setting truncate(…, escape: true) in truncated_problem_message.

@shingara
Copy link
Member

shingara commented Jan 6, 2015

great thanks 👍

arthurnn added a commit that referenced this pull request Jan 6, 2015
@arthurnn
Merge pull request #791 from felixbuenemann/fix-problem-title-double-…
0d7395a 
…escape

Fix double escaping of problem title in list view
@arthurnn arthurnn merged commit 0d7395a into errbit:master Jan 6, 2015
@arthurnn
Copy link
Member

arthurnn commented Jan 6, 2015

awesome. thanks!

@felixbuenemann felixbuenemann deleted the fix-problem-title-double-escape branch January 6, 2015 21:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@felixbuenemann @TeatroIO @shingara @arthurnn