Escape href attribute in auto links (#5179).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3612 e93f8b46-1217-0410-a6f0-8f06a7374b81
2010-03-24 20:26:22 +00:00 · 2010-03-24 20:26:22 +00:00 · 8cdcf308be
parent 84dfff5957
commit 8cdcf308be
3 changed files with 10 additions and 4 deletions
--- a/lib/redcloth3.rb
+++ b/lib/redcloth3.rb
@ -825,7 +825,7 @@ class RedCloth3 < String
              post = ")"+post # add closing parenth to post
            end
            atts = pba( atts )
-            atts = " href=\"#{ url }#{ slash }\"#{ atts }"
+            atts = " href=\"#{ htmlesc url }#{ slash }\"#{ atts }"
            atts << " title=\"#{ htmlesc title }\"" if title
            atts = shelve( atts ) if atts
            
--- a/lib/redmine/wiki_formatting/textile/formatter.rb
+++ b/lib/redmine/wiki_formatting/textile/formatter.rb
@ -21,6 +21,7 @@ module Redmine
  module WikiFormatting
    module Textile
      class Formatter < RedCloth3
+        include ActionView::Helpers::TagHelper
        
        # auto_link rule after textile rules so that it doesn't break !image_url! tags
        RULES = [:textile, :block_markdown_rule, :inline_auto_link, :inline_auto_mailto, :inline_toc]
@ -134,7 +135,8 @@ module Redmine
                url=url[0..-2] # discard closing parenth from url
                post = ")"+post # add closing parenth to post
              end
-              %(#{leading}<a class="external" href="#{proto=="www."?"http://www.":proto}#{url}">#{proto + url}</a>#{post})
+              tag = content_tag('a', proto + url, :href => "#{proto=="www."?"http://www.":proto}#{url}", :class => 'external')
+              %(#{leading}#{tag}#{post})
            end
          end
        end
@ -146,7 +148,7 @@ module Redmine
            if text.match(/<a\b[^>]*>(.*)(#{Regexp.escape(mail)})(.*)<\/a>/)
              mail
            else
-              %{<a href="mailto:#{mail}" class="email">#{mail}</a>}
+              content_tag('a', mail, :href => "mailto:#{mail}", :class => "email")
            end
          end
        end
--- a/test/unit/helpers/application_helper_test.rb
+++ b/test/unit/helpers/application_helper_test.rb
@ -60,12 +60,14 @@ class ApplicationHelperTest < HelperTestCase
      'sftp://foo.bar' => '<a class="external" href="sftp://foo.bar">sftp://foo.bar</a>',
      # two exclamation marks
      'http://example.net/path!602815048C7B5C20!302.html' => '<a class="external" href="http://example.net/path!602815048C7B5C20!302.html">http://example.net/path!602815048C7B5C20!302.html</a>',
+      # escaping
+      'http://foo"bar' => '<a class="external" href="http://foo&quot;bar">http://foo"bar</a>',
    }
    to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
  end
  
  def test_auto_mailto
-    assert_equal '<p><a href="mailto:test@foo.bar" class="email">test@foo.bar</a></p>', 
+    assert_equal '<p><a class="email" href="mailto:test@foo.bar">test@foo.bar</a></p>', 
      textilizable('test@foo.bar')
  end
  
@ -130,6 +132,8 @@ RAW
      "\"system administrator\":mailto:sysadmin@example.com?subject=redmine%20permissions" => "<a href=\"mailto:sysadmin@example.com?subject=redmine%20permissions\">system administrator</a>",
      # two exclamation marks
      '"a link":http://example.net/path!602815048C7B5C20!302.html' => '<a href="http://example.net/path!602815048C7B5C20!302.html" class="external">a link</a>',
+      # escaping
+      '"test":http://foo"bar' => '<a href="http://foo&quot;bar" class="external">test</a>',
    }
    to_test.each { |text, result| assert_equal "<p>#{result}</p>", textilizable(text) }
  end