redmine_plugins/redmine_dmsf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xss fix

Browse Source
This commit is contained in:
pavel 2019-12-03 21:37:30 +01:00
parent af9b131a7f
commit 3ab92c337b
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/views/dmsf_files/show.html.erb
View File

@ -112,7 +112,7 @@
<% if revision.description.present? %> <% if revision.description.present? %>
<div class="status attribute"> <div class="status attribute">
<%= content_tag :div, l(:label_description), :class => 'label' %> <%= content_tag :div, l(:label_description), :class => 'label' %>
<% text = clean_wiki_text(textilizable(revision.description)) %> <% text = clean_wiki_text(textilizable(h revision.description)) %>
<%= content_tag :div, text.html_safe, :class => 'value wiki' %> <%= content_tag :div, text.html_safe, :class => 'value wiki' %>
</div> </div>
<% end %> <% end %>
@ -141,7 +141,7 @@
<% if revision.comment.present? %> <% if revision.comment.present? %>
<div class="status attribute"> <div class="status attribute">
<%= content_tag :div, l(:label_comment), :class => 'label' %> <%= content_tag :div, l(:label_comment), :class => 'label' %>
<% text = clean_wiki_text(textilizable(revision.comment)) %> <% text = clean_wiki_text(textilizable(h revision.comment)) %>
<%= content_tag :div, text.html_safe, :class => 'value wiki' %> <%= content_tag :div, text.html_safe, :class => 'value wiki' %>
</div> </div>
<% end %> <% end %>

4
lib/redmine_dmsf/hooks/views/issue_view_hooks.rb
View File

@ -208,11 +208,11 @@ module RedmineDmsf
:title => h(dmsf_file.last_revision.try(:tooltip)), :title => h(dmsf_file.last_revision.try(:tooltip)),
'data-downloadurl' => "#{dmsf_file.last_revision.detect_content_type}:#{h(dmsf_file.name)}:#{file_view_url}") 'data-downloadurl' => "#{dmsf_file.last_revision.detect_content_type}:#{h(dmsf_file.name)}:#{file_view_url}")
html << "<span class=\"size\">(#{number_to_human_size(dmsf_file.last_revision.size)})</span>" html << "<span class=\"size\">(#{number_to_human_size(dmsf_file.last_revision.size)})</span>"
html << " - #{dmsf_file.description}" unless dmsf_file.description.blank? html << " - #{h(dmsf_file.description)}" unless dmsf_file.description.blank?
html << '</td>' html << '</td>'
# Author, updated at # Author, updated at
html << '<td>' html << '<td>'
html << "<span class=\"author\">#{dmsf_file.last_revision.user}, #{format_time(dmsf_file.last_revision.updated_at)}</span>" html << "<span class=\"author\">#{h(dmsf_file.last_revision.user)}, #{format_time(dmsf_file.last_revision.updated_at)}</span>"
html << '</td>' html << '</td>'
# Command icons # Command icons
html << '<td class="fast-icons easy-query-additional-ending-buttons hide-when-print">' html << '<td class="fast-icons easy-query-additional-ending-buttons hide-when-print">'