You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2013/07/11 23:58:27 UTC
[07/50] [abbrv] git commit: [#5693] ticket:397 Escape forum topic in
notifications
[#5693] ticket:397 Escape forum topic in notifications
Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/ff44014a
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/ff44014a
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/ff44014a
Branch: refs/heads/db/6277
Commit: ff44014a528b069e10cbfe51d2bc1981d924d455
Parents: a20153c
Author: Igor Bondarenko <je...@gmail.com>
Authored: Wed Jul 3 09:39:26 2013 +0000
Committer: Cory Johns <cj...@slashdotmedia.com>
Committed: Wed Jul 3 16:46:33 2013 +0000
----------------------------------------------------------------------
Allura/allura/templates/mail/Discussion.txt | 2 +-
.../forgediscussion/tests/functional/test_forum.py | 17 ++++++++++++++++-
2 files changed, 17 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/ff44014a/Allura/allura/templates/mail/Discussion.txt
----------------------------------------------------------------------
diff --git a/Allura/allura/templates/mail/Discussion.txt b/Allura/allura/templates/mail/Discussion.txt
index 4702f21..21bfb51 100644
--- a/Allura/allura/templates/mail/Discussion.txt
+++ b/Allura/allura/templates/mail/Discussion.txt
@@ -20,4 +20,4 @@
---
-[{{post.thread.subject}}]({{h.absurl(post.url_paginated())}})
+[{{post.thread.subject|e}}]({{h.absurl(post.url_paginated())}})
http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/ff44014a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
----------------------------------------------------------------------
diff --git a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
index ffa0ca1..a9288c8 100644
--- a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
+++ b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
@@ -26,7 +26,7 @@ from email.mime.multipart import MIMEMultipart
import pkg_resources
from pylons import tmpl_context as c, app_globals as g
-from nose.tools import assert_equal
+from nose.tools import assert_equal, assert_in
from allura import model as M
from allura.tasks import mail_tasks
@@ -408,6 +408,21 @@ class TestForum(TestController):
assert 'noreply' not in n.reply_to_address, n
assert 'testforum@discussion.test.p' in n.reply_to_address, n
+ def test_notifications_escaping(self):
+ r = self.app.get('/discussion/create_topic/')
+ f = r.html.find('form', {'action':'/p/test/discussion/save_new_topic'})
+ params = dict()
+ inputs = f.findAll('input')
+ for field in inputs:
+ if field.has_key('name'):
+ params[field['name']] = field.has_key('value') and field['value'] or ''
+ params[f.find('textarea')['name']] = 'Post text'
+ params[f.find('select')['name']] = 'testforum'
+ params[f.find('input', {'style':'width: 90%'})['name']] = "this is <h2> o'clock"
+ r = self.app.post('/discussion/save_new_topic', params=params)
+ n = M.Notification.query.find(dict(subject="[test:discussion] this is <h2> o'clock")).first()
+ assert_in('---\n\n[this is <h2> o'clock]', n.text)
+
@mock.patch('allura.model.discuss.g.spam_checker')
def test_anonymous_post(self, spam_checker):
spam_checker.check.return_value = True