fix: Don't double escape delete branch text

- Don't double escape the 'Delete branch "$BRANCH"' text. `Locale.Tr` escapes the argument already and Vue does too by default. - Let Vue escape the text and add a unit test ensuring that it escapes. - Resolves #5582
2024-10-23 17:32:12 +00:00 · 2024-10-19 22:01:35 +02:00 · 2024-10-19 22:01:35 +02:00 · 8c8b31f304
parent b76d7a2b2d
commit 8c8b31f304
2 changed files with 35 additions and 1 deletions
--- a/templates/repo/issue/view_content/pull.tmpl
+++ b/templates/repo/issue/view_content/pull.tmpl
@ -214,7 +214,7 @@
 							const mergeForm = {
 								'baseLink': {{.Link}},
 								'textCancel': {{ctx.Locale.Tr "cancel"}},
-								'textDeleteBranch': {{ctx.Locale.Tr "repo.branch.delete" .HeadTarget}},
+								'textDeleteBranch': {{ctx.Locale.TrString "repo.branch.delete" .HeadTarget}},
 								'textAutoMergeButtonWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_button_when_succeed"}},
 								'textAutoMergeWhenSucceed': {{ctx.Locale.Tr "repo.pulls.auto_merge_when_succeed"}},
 								'textAutoMergeCancelSchedule': {{ctx.Locale.Tr "repo.pulls.auto_merge_cancel_schedule"}},
--- a/web_src/js/components/PullRequestMergeForm.test.js
+++ b/web_src/js/components/PullRequestMergeForm.test.js
@ -0,0 +1,34 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+import {flushPromises, mount} from '@vue/test-utils';
+import PullRequestMergeForm from './PullRequestMergeForm.vue';
+
+async function renderMergeForm(branchName) {
+  window.config.pageData.pullRequestMergeForm = {
+    textDeleteBranch: `Delete branch "${branchName}"`,
+    textDoMerge: 'Merge',
+    defaultMergeStyle: 'merge',
+    isPullBranchDeletable: true,
+    canMergeNow: true,
+    mergeStyles: [{
+      'name': 'merge',
+      'allowed': true,
+      'textDoMerge': 'Merge',
+      'mergeTitleFieldText': 'Merge PR',
+      'mergeMessageFieldText': 'Description',
+      'hideAutoMerge': 'Hide this message',
+    }],
+  };
+  const mergeform = mount(PullRequestMergeForm);
+  mergeform.get('.merge-button').trigger('click');
+  await flushPromises();
+  return mergeform;
+}
+
+test('renders escaped branch name', async () => {
+  let mergeform = await renderMergeForm('<b>evil</b>');
+  expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<b>evil</b>"');
+
+  mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
+  expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
+});