diff --git a/app/models/dmsf_file_revision.rb b/app/models/dmsf_file_revision.rb index 065c289c..8b80ec3e 100644 --- a/app/models/dmsf_file_revision.rb +++ b/app/models/dmsf_file_revision.rb @@ -363,7 +363,7 @@ class DmsfFileRevision < ApplicationRecord text += ' / ' if text.present? text += comment end - ActionView::Base.full_sanitizer.sanitize text + text end def workflow_tooltip diff --git a/lib/redmine_dmsf/hooks/views/issue_view_hooks.rb b/lib/redmine_dmsf/hooks/views/issue_view_hooks.rb index 2518e2fa..b91d8fb8 100644 --- a/lib/redmine_dmsf/hooks/views/issue_view_hooks.rb +++ b/lib/redmine_dmsf/hooks/views/issue_view_hooks.rb @@ -71,7 +71,7 @@ module RedmineDmsf unless allowed_to_attach_attachments(container) html << context[:hook_caller].late_javascript_tag("$('.attachments-container:not(.dmsf-uploader)').hide();") end - sanitize html + html end def view_issues_show_description_bottom(context = {}) @@ -183,7 +183,7 @@ module RedmineDmsf awf: true } }) html << '' html << (description ? '

' : '') - sanitize html + html end def show_attached_documents(container, controller, _attachments = nil) @@ -208,7 +208,7 @@ module RedmineDmsf html << attachment_row(dmsf_file, link, issue, controller) end html << '' - sanitize html + html end def attachment_row(dmsf_file, link, issue, controller) diff --git a/lib/redmine_dmsf/macros.rb b/lib/redmine_dmsf/macros.rb index 3e153cc4..7866c813 100644 --- a/lib/redmine_dmsf/macros.rb +++ b/lib/redmine_dmsf/macros.rb @@ -150,7 +150,7 @@ module RedmineDmsf file = DmsfFile.visible.find args[0] raise l(:notice_not_authorized) unless User.current&.allowed_to?(:view_dmsf_files, file.project) - sanitize file.text_preview(args[1]).gsub("\n", '
') + content_tag :pre, file.text_preview(args[1]) end # dmsf_image - link to an image @@ -170,7 +170,7 @@ module RedmineDmsf width = options[:width] height = options[:height] ids = args[0].split - html = +'' + html = [] ids.each do |id| file = DmsfFile.visible.find(id) raise l(:notice_not_authorized) unless User.current&.allowed_to?(:view_dmsf_files, file.project) @@ -189,7 +189,7 @@ module RedmineDmsf image_tag url, alt: filename, title: file.title, size: size end end - sanitize html + safe_join html end # dmsf_video - link to a video @@ -240,7 +240,7 @@ module RedmineDmsf width = options[:width] height = options[:height] ids = args[0].split - html = +'' + html = [] ids.each do |id| file = DmsfFile.visible.find(id) raise l(:notice_not_authorized) unless User.current&.allowed_to?(:view_dmsf_files, file.project) @@ -264,7 +264,7 @@ module RedmineDmsf title: h(file.last_revision.try(:tooltip)), 'data-downloadurl' => "#{file.last_revision.detect_content_type}:#{h(file.name)}:#{url}") end - sanitize html + safe_join html end # dmsfw - link to a document's approval workflow status diff --git a/lib/redmine_dmsf/patches/issue_patch.rb b/lib/redmine_dmsf/patches/issue_patch.rb index 65adfb8c..5beb5e51 100644 --- a/lib/redmine_dmsf/patches/issue_patch.rb +++ b/lib/redmine_dmsf/patches/issue_patch.rb @@ -126,11 +126,11 @@ module RedmineDmsf end def dmsf_files - system_folder&.dmsf_files&.visible + system_folder&.dmsf_files&.visible || [] end def dmsf_links - system_folder&.dmsf_links&.visible + system_folder&.dmsf_links&.visible || [] end def delete_system_folder diff --git a/test/unit/lib/redmine_dmsf/dmsf_macros_test.rb b/test/unit/lib/redmine_dmsf/dmsf_macros_test.rb index 9177d17c..1522889f 100644 --- a/test/unit/lib/redmine_dmsf/dmsf_macros_test.rb +++ b/test/unit/lib/redmine_dmsf/dmsf_macros_test.rb @@ -208,7 +208,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest # {{dmsft(document_id)}} def test_macro_dmsft text = textilizable("{{dmsft(#{@file1.id}, 1)}}") - assert_equal content_tag(:p, @file1.text_preview(1)), text + assert_equal content_tag(:p, content_tag(:pre, @file1.text_preview(1))), text end def test_macro_dmsft_no_permissions @@ -228,7 +228,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest url = static_dmsf_file_url(@file7, @file7.last_revision.name) text = textilizable("{{dmsf_image(#{@file7.id})}}") link = image_tag(url, alt: @file7.name, title: @file7.title, size: nil) - assert_equal sanitize(content_tag(:p, link)), text + assert_equal content_tag(:p, link), text end # {{dmsf_image(file_id file_id)}} @@ -236,7 +236,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest url = static_dmsf_file_url(@file7, @file7.last_revision.name) text = textilizable("{{dmsf_image(#{@file7.id} #{@file7.id})}}") link = image_tag(url, alt: @file7.name, title: @file7.title, size: nil) - assert_equal sanitize(content_tag(:p, safe_join([link, link]))), text + assert_equal content_tag(:p, safe_join([link, link])), text end def test_macro_dmsf_image_size @@ -244,7 +244,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest url = static_dmsf_file_url(@file7, @file7.last_revision.name) text = textilizable("{{dmsf_image(#{@file7.id}, size=#{size})}}") link = image_tag(url, alt: @file7.name, title: @file7.title, width: size, height: size) - assert_equal sanitize(content_tag(:p, link)), text + assert_equal content_tag(:p, link), text # TODO: arguments src and with and height are swapped # size = '300' # text = textilizable("{{dmsf_image(#{@file7.id}, size=#{size})}}") @@ -258,11 +258,11 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest height = '480' text = textilizable("{{dmsf_image(#{@file7.id}, height=#{height})}}") link = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: height) - assert_equal sanitize(content_tag(:p, link)), text + assert_equal content_tag(:p, link), text width = '480' text = textilizable("{{dmsf_image(#{@file7.id}, width=#{height})}}") link = image_tag(url, alt: @file7.name, title: @file7.title, width: width, height: 'auto') - assert_equal sanitize(content_tag(:p, link)), text + assert_equal content_tag(:p, link), text end def test_macro_dmsf_image_no_permissions @@ -344,8 +344,13 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest text = textilizable("{{dmsftn(#{@file7.id})}}") url = static_dmsf_file_url(@file7, @file7.last_revision.name) img = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: 200) - link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_equal sanitize(content_tag(:p, link)), text + link = link_to(img, + url, + target: '_blank', + rel: 'noopener', + title: h(@file7.last_revision.try(:tooltip)), + 'data-downloadurl' => "#{@file7.last_revision.detect_content_type}:#{h(@file7.name)}:#{url}") + assert_equal content_tag(:p, link), text end # {{dmsftn(file_id file_id)}} @@ -353,8 +358,11 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest text = textilizable("{{dmsftn(#{@file7.id} #{@file7.id})}}") url = static_dmsf_file_url(@file7, @file7.last_revision.name) img = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: 200) - link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_equal sanitize(content_tag(:p, safe_join([link, link]))), text + link = link_to(img, url, target: '_blank', + rel: 'noopener', + title: h(@file7.last_revision.try(:tooltip)), + 'data-downloadurl': 'image/gif:test.gif:http://example.com/dmsf/files/7/test.gif') + assert_equal content_tag(:p, link + link), text end # {{dmsftn(file_id size=300)}} @@ -363,31 +371,42 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest size = '300' text = textilizable("{{dmsftn(#{@file7.id}, size=#{size})}}") img = image_tag(url, alt: @file7.name, title: @file7.title, size: size) - link = link_to( - img, - url, - target: '_blank', - rel: 'noopener', - title: h(@file7.last_revision.try(:tooltip)), - 'data-downloadurl' => "#{@file7.last_revision.detect_content_type}:#{h(@file7.name)}:#{url}" - ) - assert_equal sanitize(content_tag(:p, link)), text + link = link_to(img, + url, + target: '_blank', + rel: 'noopener', + title: h(@file7.last_revision.try(:tooltip)), + 'data-downloadurl' => "#{@file7.last_revision.detect_content_type}:#{h(@file7.name)}:#{url}") + assert_equal content_tag(:p, link), text # TODO: arguments src and with and height are swapped # size = '640x480' # text = textilizable("{{dmsftn(#{@file7.id}, size=#{size})}}") # img = image_tag(url, alt: @file7.name, title: @file7.title, width: 640, height: 480) - # link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - # assert_equal sanitize(content_tag(:p, link)), text + # link = link_to(img, + # url, + # target: '_blank', + # rel: 'noopener', + # title: h(@file7.last_revision.try(:tooltip)), + # 'data-downloadurl' => "#{@file7.last_revision.detect_content_type}:#{h(@file7.name)}:#{url}") + assert_equal content_tag(:p, link), text height = '480' text = textilizable("{{dmsftn(#{@file7.id}, height=#{height})}}") img = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: 480) - link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_equal sanitize(content_tag(:p, link)), text + link = link_to(img, url, target: '_blank', + rel: 'noopener', + title: h(@file7.last_revision.try(:tooltip)), + 'data-downloadurl': 'image/gif:test.gif:http://example.com/dmsf/files/7/test.gif') + assert_equal content_tag(:p, link), text width = '640' text = textilizable("{{dmsftn(#{@file7.id}, width=#{width})}}") img = image_tag(url, alt: @file7.name, title: @file7.title, width: 640, height: 'auto') - link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_equal sanitize(content_tag(:p, link)), text + link = link_to(img, + url, + target: '_blank', + rel: 'noopener', + title: h(@file7.last_revision.try(:tooltip)), + 'data-downloadurl' => "#{@file7.last_revision.detect_content_type}:#{h(@file7.name)}:#{url}") + assert_equal content_tag(:p, link), text end def test_macro_dmsftn_no_permissions @@ -396,7 +415,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest url = view_dmsf_file_url(@file7) img = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: 200) link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_not_equal sanitize(content_tag(:p, link)), text + assert_not_equal content_tag(:p, link), text end def test_macro_dmsftn_dmsf_off @@ -405,7 +424,7 @@ class DmsfMacrosTest < RedmineDmsf::Test::HelperTest url = view_dmsf_file_url(@file7) img = image_tag(url, alt: @file7.name, title: @file7.title, width: 'auto', height: 200) link = link_to(img, url, title: h(@file7.last_revision.try(:tooltip))) - assert_not_equal sanitize(content_tag(:p, link)), text + assert_not_equal content_tag(:p, link), text end def test_macro_dmsftn_not_image