fix: Don't double escape delete branch text
- Don't double escape the 'Delete branch "$BRANCH"' text. `Locale.Tr`
escapes the argument already and Vue does too by default.
- Let Vue escape the text and add a unit test ensuring that it escapes.
- Resolves #5582
(cherry picked from commit 8c8b31f304
)
This commit is contained in:
parent
b692da7f6f
commit
5d85dc2d91
2 changed files with 35 additions and 1 deletions
|
@ -214,7 +214,7 @@
|
||||||
const mergeForm = {
|
const mergeForm = {
|
||||||
'baseLink': {{.Link}},
|
'baseLink': {{.Link}},
|
||||||
'textCancel': {{ctx.Locale.Tr "cancel"}},
|
'textCancel': {{ctx.Locale.Tr "cancel"}},
|
||||||
'textDeleteBranch': {{ctx.Locale.Tr "repo.branch.delete" .HeadTarget}},
|
'textDeleteBranch': {{ctx.Locale.TrString "repo.branch.delete" .HeadTarget}},
|
||||||
'textAutoMergeButtonWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_button_when_succeed"}},
|
'textAutoMergeButtonWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_button_when_succeed"}},
|
||||||
'textAutoMergeWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_when_succeed"}},
|
'textAutoMergeWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_when_succeed"}},
|
||||||
'textAutoMergeCancelSchedule': {{ctx.Locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
|
'textAutoMergeCancelSchedule': {{ctx.Locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
|
||||||
|
|
34
web_src/js/components/PullRequestMergeForm.test.js
Normal file
34
web_src/js/components/PullRequestMergeForm.test.js
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
||||||
|
// SPDX-License-Identifier: MIT
|
||||||
|
import {flushPromises, mount} from '@vue/test-utils';
|
||||||
|
import PullRequestMergeForm from './PullRequestMergeForm.vue';
|
||||||
|
|
||||||
|
async function renderMergeForm(branchName) {
|
||||||
|
window.config.pageData.pullRequestMergeForm = {
|
||||||
|
textDeleteBranch: `Delete branch "${branchName}"`,
|
||||||
|
textDoMerge: 'Merge',
|
||||||
|
defaultMergeStyle: 'merge',
|
||||||
|
isPullBranchDeletable: true,
|
||||||
|
canMergeNow: true,
|
||||||
|
mergeStyles: [{
|
||||||
|
'name': 'merge',
|
||||||
|
'allowed': true,
|
||||||
|
'textDoMerge': 'Merge',
|
||||||
|
'mergeTitleFieldText': 'Merge PR',
|
||||||
|
'mergeMessageFieldText': 'Description',
|
||||||
|
'hideAutoMerge': 'Hide this message',
|
||||||
|
}],
|
||||||
|
};
|
||||||
|
const mergeform = mount(PullRequestMergeForm);
|
||||||
|
mergeform.get('.merge-button').trigger('click');
|
||||||
|
await flushPromises();
|
||||||
|
return mergeform;
|
||||||
|
}
|
||||||
|
|
||||||
|
test('renders escaped branch name', async () => {
|
||||||
|
let mergeform = await renderMergeForm('<b>evil</b>');
|
||||||
|
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<b>evil</b>"');
|
||||||
|
|
||||||
|
mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
|
||||||
|
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
|
||||||
|
});
|
Loading…
Reference in a new issue