fix: Don't double escape delete branch text
- Don't double escape the 'Delete branch "$BRANCH"' text. `Locale.Tr`
escapes the argument already and Vue does too by default.
- Let Vue escape the text and add a unit test ensuring that it escapes.
- Resolves #5582
(cherry picked from commit 8c8b31f304
)
This commit is contained in:
parent
b692da7f6f
commit
5d85dc2d91
2 changed files with 35 additions and 1 deletions
|
@ -214,7 +214,7 @@
|
|||
const mergeForm = {
|
||||
'baseLink': {{.Link}},
|
||||
'textCancel': {{ctx.Locale.Tr "cancel"}},
|
||||
'textDeleteBranch': {{ctx.Locale.Tr "repo.branch.delete" .HeadTarget}},
|
||||
'textDeleteBranch': {{ctx.Locale.TrString "repo.branch.delete" .HeadTarget}},
|
||||
'textAutoMergeButtonWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_button_when_succeed"}},
|
||||
'textAutoMergeWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_when_succeed"}},
|
||||
'textAutoMergeCancelSchedule': {{ctx.Locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
|
||||
|
|
34
web_src/js/components/PullRequestMergeForm.test.js
Normal file
34
web_src/js/components/PullRequestMergeForm.test.js
Normal file
|
@ -0,0 +1,34 @@
|
|||
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
||||
// SPDX-License-Identifier: MIT
|
||||
import {flushPromises, mount} from '@vue/test-utils';
|
||||
import PullRequestMergeForm from './PullRequestMergeForm.vue';
|
||||
|
||||
async function renderMergeForm(branchName) {
|
||||
window.config.pageData.pullRequestMergeForm = {
|
||||
textDeleteBranch: `Delete branch "${branchName}"`,
|
||||
textDoMerge: 'Merge',
|
||||
defaultMergeStyle: 'merge',
|
||||
isPullBranchDeletable: true,
|
||||
canMergeNow: true,
|
||||
mergeStyles: [{
|
||||
'name': 'merge',
|
||||
'allowed': true,
|
||||
'textDoMerge': 'Merge',
|
||||
'mergeTitleFieldText': 'Merge PR',
|
||||
'mergeMessageFieldText': 'Description',
|
||||
'hideAutoMerge': 'Hide this message',
|
||||
}],
|
||||
};
|
||||
const mergeform = mount(PullRequestMergeForm);
|
||||
mergeform.get('.merge-button').trigger('click');
|
||||
await flushPromises();
|
||||
return mergeform;
|
||||
}
|
||||
|
||||
test('renders escaped branch name', async () => {
|
||||
let mergeform = await renderMergeForm('<b>evil</b>');
|
||||
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<b>evil</b>"');
|
||||
|
||||
mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
|
||||
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
|
||||
});
|
Loading…
Reference in a new issue