From 1ff896f2bf5d06d0d772fd0df98bf43edf107373 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alejandro=20Rodr=C3=ADguez?= <alejandroluis24@gmail.com>
Date: Mon, 4 Apr 2016 23:09:44 -0300
Subject: [PATCH] Escaping the `object_link_text` on cross project milestone
 references

---
 lib/banzai/filter/milestone_reference_filter.rb           | 2 +-
 spec/lib/banzai/filter/milestone_reference_filter_spec.rb | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/banzai/filter/milestone_reference_filter.rb b/lib/banzai/filter/milestone_reference_filter.rb
index 556087c4880..aea1abf3b8e 100644
--- a/lib/banzai/filter/milestone_reference_filter.rb
+++ b/lib/banzai/filter/milestone_reference_filter.rb
@@ -39,7 +39,7 @@ module Banzai
         if context[:project] == object.project
           super
         else
-          "#{super} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
+          "#{escape_once(super)} <i>in #{escape_once(object.project.name_with_namespace)}</i>".
             html_safe
         end
       end
diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
index 26f87286b2c..ac3e6e4e536 100644
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -176,5 +176,11 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
     it 'contains cross project content' do
       expect(result.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
     end
+
+    it 'escapes the name attribute' do
+      allow_any_instance_of(Milestone).to receive(:title).and_return(%{"></a>whatever<a title="})
+      doc = reference_filter("See #{reference}")
+      expect(doc.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
+    end
   end
 end
-- 
GitLab