Allowing ">" to be used for Milestone models's title and storing the value in db as unescaped.

Updating test value for milestone title

Adding API test for title with reserved HTML characters.

Updating changelog

Adding the MR number for fixing bug #22452.

removing duplicate line

Updating MR number.

CHANGELOG

@@ -4,6 +4,7 @@ v 8.13.0 (unreleased)
   - Speed-up group milestones show page
   - Fix robots.txt disallowing access to groups starting with "s" (Matt Harrison)
   - Revoke button in Applications Settings underlines on hover.
+  - Fix unnecessary escaping of reserved HTML characters in milestone title. !6533
 
 v 8.12.2 (unreleased)
   - Fix Import/Export not recognising correctly the imported services.

app/models/milestone.rb

@@ -158,7 +158,7 @@ class Milestone < ActiveRecord::Base
   end
 
   def title=(value)
-    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+    write_attribute(:title, sanitize_title(value)) if value.present?
   end
 
   # Sorts the issues for the given IDs.
@@ -204,4 +204,8 @@ class Milestone < ActiveRecord::Base
       iid
     end
   end
+
+  def sanitize_title(value)
+    CGI.unescape_html(Sanitize.clean(value.to_s))
+  end
 end

spec/models/milestone_spec.rb

@@ -20,10 +20,10 @@ describe Milestone, models: true do
   let(:user) { create(:user) }
 
   describe "#title" do
-    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+    let(:milestone) { create(:milestone, title: "<b>foo & bar -> 2.2</b>") }
 
     it "sanitizes title" do
-      expect(milestone.title).to eq("test")
+      expect(milestone.title).to eq("foo & bar -> 2.2")
     end
   end
 

spec/requests/api/milestones_spec.rb

@@ -104,6 +104,14 @@ describe API::API, api: true  do
 
       expect(response).to have_http_status(400)
     end
+
+    it 'creates a new project with reserved html characters' do
+      post api("/projects/#{project.id}/milestones", user), title: 'foo & bar 1.1 -> 2.2'
+
+      expect(response).to have_http_status(201)
+      expect(json_response['title']).to eq('foo & bar 1.1 -> 2.2')
+      expect(json_response['description']).to be_nil
+    end
   end
 
   describe 'PUT /projects/:id/milestones/:milestone_id' do