-
-
I think this doesn't do the right thing. urlizeList will add in <a> tags to make links to the given items, but then formatText will escape the whole thing.
Probably a better solution is to leave the outer stuff as-is, but have the inner method return
_.escape(bugTrackerURL.replace('%s', item)).Can you create a repository with an associated bug tracker and test if linked bugs work appropriately?
-
This will potentially run the linkify methods, which doesn't seem appropriate here. I think probably we can just change this to use
$el.text(...);
Add input escaping to the bugs section of review
Review Request #5774 — Created May 5, 2014 and submitted
If you create a new review and type a string that should be escaped into the bugs secion (e.g. <A>), it disappears. Can be fixed by using view.formatText that escapes input.
Note that even though the text that you entered isn't displayed, if you refresh the review, it's there, and is displayed, as the template has "|safe" in it. The problem is only visible after immediate value update.There are a couple of other fields that might have the same issue, but none of them (depends on, target groups) are likely to have input that should be escaped in them.
Before:
1) Created a new review.
2) Click edit on bug description.
3) Enter "<A>" into the field and press enter.
4) Text disappears.After:
1) Created a new review.
2) Click edit on bug description.
3) Enter "<A>" into the field and press enter.
4) Text is there, just as expected.Also tested behaviour with multiple inputs like "<123> <456>".
