Fix escaping issues with the new Markdown support.
Review Request #6568 — Created Nov. 7, 2014 and submitted
Text normalized for edit worked fine when being injected straight into
JavaScript code using the normalize_text_for_edit template tag, but it
didn't work so well for data-raw-value= attributes, nor did it work for
comment arrays for review UIs/diff viewer.We now default to HTML-escaping text, and only turn this off in the case
where we're outputting to JavaScript code using the template tag.This prevents things like & from turning into &, and double quotes
from breaking data attributes.Unit tests were added to cover the various cases.
Manually tested rich and plain text comments with HTML-unsafe characters,
injected through data attributes and in JavaScript. Checked raw HTML source,
and didn't see any issues.Added new unit tests, which pass.
Tool: Pyflakes Processed Files: reviewboard/reviews/markdown_utils.py reviewboard/reviews/tests.py reviewboard/reviews/templatetags/reviewtags.py Tool: PEP8 Style Checker Processed Files: reviewboard/reviews/markdown_utils.py reviewboard/reviews/tests.py reviewboard/reviews/templatetags/reviewtags.py