diff --git a/CHANGELOG b/CHANGELOG index aeade934b469df15d3bd24ccc9bbc62e4b307b33..f8ae187348d0111962020ccde8649e9751d5ef1f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -21,6 +21,7 @@ v 8.8.0 (unreleased) - Update SVG sanitizer to conform to SVG 1.1 - Updated search UI - Display informative message when new milestone is created + - Sanitize milestones and labels titles - Allow "NEWS" and "CHANGES" as alternative names for CHANGELOG. !3768 (Connor Shea) - Added button to toggle whitespaces changes on diff view - Backport GitHub Enterprise import support from EE diff --git a/app/models/label.rb b/app/models/label.rb index 9a22398d9523f4809b178721196f4a97cc13e9f1..8a24a6e69b3f82a17f69db6fa5d3f2753da20cd7 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -117,6 +117,10 @@ class Label < ActiveRecord::Base LabelsHelper::text_color_for_bg(self.color) end + def title=(value) + write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? + end + private def label_format_reference(format = :id) diff --git a/app/models/milestone.rb b/app/models/milestone.rb index 5ee8a965ad8beafc090652ffcbbb457445a24f8e..b19935cad6f3c044d5c65c261d67978fe111ed0a 100644 --- a/app/models/milestone.rb +++ b/app/models/milestone.rb @@ -129,6 +129,10 @@ class Milestone < ActiveRecord::Base nil end + def title=(value) + write_attribute(:title, Sanitize.clean(value.to_s)) if value.present? + end + # Sorts the issues for the given IDs. # # This method runs a single SQL query using a CASE statement to update the diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb index ebf3d7489b53ad71e44d0055fb3525804d80176b..5beb61dac5cccc12231ac3e50b43553b74eeac94 100644 --- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb @@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do milestone.update_attribute(:title, %{">whateverwhatever" end it 'includes default classes' do diff --git a/spec/models/label_spec.rb b/spec/models/label_spec.rb index 0614ca1e7c93d529ed43e85d47738500f334c0f4..b61c55a3f6d150962922f9c38cc37ad753971112 100644 --- a/spec/models/label_spec.rb +++ b/spec/models/label_spec.rb @@ -55,6 +55,14 @@ describe Label, models: true do end end + describe "#title" do + let(:label) { create(:label, title: "test") } + + it "sanitizes title" do + expect(label.title).to eq("test") + end + end + describe '#to_reference' do context 'using id' do it 'returns a String reference to the object' do diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb index 72a4ea702281ae5d8dd3b8fbe2c6e86768e1821b..e2c89a4b3e62ebcb0afcc10350c56b3dfd6af046 100644 --- a/spec/models/milestone_spec.rb +++ b/spec/models/milestone_spec.rb @@ -34,6 +34,14 @@ describe Milestone, models: true do let(:issue) { create(:issue) } let(:user) { create(:user) } + describe "#title" do + let(:milestone) { create(:milestone, title: "test") } + + it "sanitizes title" do + expect(milestone.title).to eq("test") + end + end + describe "unique milestone title per project" do it "shouldn't accept the same title in a project twice" do new_milestone = Milestone.new(project: milestone.project, title: milestone.title)