Modify

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#12940 closed defect (fixed)

Suggestion is rendered without html escaping

Reported by: Jun Omae Owned by: Peter Suter
Priority: normal Component: WikiAutoCompletePlugin
Severity: normal Keywords:
Cc: Trac Release: 1.0

Description

We should use function to escape to template option rather than default template function.

$ git grep '\<template\>' -- src
src/dropdown.js:        html +=   datum.strategy.template(datum.value, datum.term);
src/strategy.js:    template:   function (obj) { return obj; },
  • wikiautocomplete/htdocs/js/wikiautocomplete.js

    diff --git a/wikiautocomplete/htdocs/js/wikiautocomplete.js b/wikiautocomplete/htdocs/js/wikiautocomplete.js
    index dac2c4c..0931b4a 100644
    a b jQuery(document).ready(function($) { 
    33        return value.replace(/\$/g, '$$$$');
    44    }
    55
     6    function template(text, term) {
     7        return $.htmlEscape(text);
     8    }
     9
    610    $('textarea.wikitext').textcomplete([
    711        { // Attachment
    812            match: /\b((?:raw-)?attachment):(\S*)$/,
    jQuery(document).ready(function($) { 
    1418                    .fail(function () { callback([]); });
    1519            },
    1620            index: 2,
     21            template: template,
    1722            replace: function (name) {
    1823                if (/\s/.test(name))
    1924                    name = '"' + name + '"';
    jQuery(document).ready(function($) { 
    3035                    .fail(function () { callback([]); });
    3136            },
    3237            index: 2,
     38            template: template,
    3339            replace: function (resolver) {
    3440                return ['$1[' + escape_newvalue(resolver) + ':', ']'];
    3541            },
    jQuery(document).ready(function($) { 
    4551            },
    4652            index: 1,
    4753            template: function (ticket) {
    48                 return '#' + ticket.id + ' ' + ticket.summary;
     54                return $.htmlEscape('#' + ticket.id + ' ' + ticket.summary);
    4955            },
    5056            replace: function (ticket) {
    5157                return '#' + ticket.id;
    jQuery(document).ready(function($) { 
    6167                    .fail(function () { callback([]); });
    6268            },
    6369            index: 1,
     70            template: template,
    6471            replace: function (wikipage) {
    6572                return 'wiki:' + escape_newvalue(wikipage);
    6673            },
    jQuery(document).ready(function($) { 
    9299                    .fail(function () { callback([]); });
    93100            },
    94101            index: 2,
     102            template: template,
    95103            replace: function (path) {
    96104                return '$1' + escape_newvalue(path);
    97105            },

Attachments (1)

no-html-escaping.png (10.4 KB) - added by Jun Omae 6 years ago.

Download all attachments as: .zip

Change History (3)

Changed 6 years ago by Jun Omae

Attachment: no-html-escaping.png added

comment:1 Changed 6 years ago by Peter Suter

Sounds good, thanks.

comment:2 Changed 6 years ago by Jun Omae

Resolution: fixed
Status: newclosed

In 15951:

WikiAutoCompletePlugin: escape html meta characters in suggestion (closes #12940)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Peter Suter.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.