Fix escaping issues with the new Markdown support.

Review Request #6568 — Created Nov. 7, 2014 and submitted

Information

Review Board
release-2.0.x
5cd7610...

Reviewers

Text normalized for edit worked fine when being injected straight into
JavaScript code using the normalize_text_for_edit template tag, but it
didn't work so well for data-raw-value= attributes, nor did it work for
comment arrays for review UIs/diff viewer.

We now default to HTML-escaping text, and only turn this off in the case
where we're outputting to JavaScript code using the template tag.

This prevents things like & from turning into &, and double quotes
from breaking data attributes.

Unit tests were added to cover the various cases.

Manually tested rich and plain text comments with HTML-unsafe characters,
injected through data attributes and in JavaScript. Checked raw HTML source,
and didn't see any issues.

Added new unit tests, which pass.

reviewbot
  1. Tool: Pyflakes
    Processed Files:
        reviewboard/reviews/markdown_utils.py
        reviewboard/reviews/tests.py
        reviewboard/reviews/templatetags/reviewtags.py
    
    
    
    Tool: PEP8 Style Checker
    Processed Files:
        reviewboard/reviews/markdown_utils.py
        reviewboard/reviews/tests.py
        reviewboard/reviews/templatetags/reviewtags.py
    
    
  2. 
      
david
  1. Ship It!

  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-2.0.x (5fcfda1)