diff options
| -rw-r--r-- | .cypress/cypress/integration/regressions.js | 17 | ||||
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | web/cobrands/fixmystreet/fixmystreet.js | 14 |
3 files changed, 31 insertions, 1 deletions
diff --git a/.cypress/cypress/integration/regressions.js b/.cypress/cypress/integration/regressions.js index 00e92f5ad..547fc469b 100644 --- a/.cypress/cypress/integration/regressions.js +++ b/.cypress/cypress/integration/regressions.js @@ -25,4 +25,21 @@ describe('Regression tests', function() { cy.get('#loading-indicator').should('be.hidden'); cy.get('#map_box image').should('be.visible'); }); + it('Does not escape HTML entities in the title', function() { + cy.server(); + cy.route('/around\?ajax*').as('update-results'); + cy.request({ + method: 'POST', + url: '/auth?r=/', + form: true, + body: { username: 'cs@example.org', password_sign_in: 'password' } + }); + cy.visit('/report/1/moderate'); + cy.get('[name=problem_title]').clear().type('M&S "brill" says <glob>').parents('form').submit(); + cy.title().should('contain', 'M&S "brill" says <glob>'); + cy.contains('Problems nearby').click(); + cy.wait('@update-results'); + cy.get('#map_sidebar').contains('M&S').click(); + cy.title().should('contain', 'M&S "brill" says <glob>'); + }); }); diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fb18ccfb..825a9d353 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ - Keep all moderation history, and show in report/update admin. #2329 - Bugfixes: - Restore map zoom out when navigating to /around from /report. #1649 + - Don’t escape HTML entities in report titles pulled in by ajax. #2346 - Open311 improvements: - Fix bug in contact group handling. #2323 - Improve validation of fetched reports timestamps. #2327 diff --git a/web/cobrands/fixmystreet/fixmystreet.js b/web/cobrands/fixmystreet/fixmystreet.js index 98e538933..100eec15d 100644 --- a/web/cobrands/fixmystreet/fixmystreet.js +++ b/web/cobrands/fixmystreet/fixmystreet.js @@ -1354,7 +1354,19 @@ fixmystreet.display = { } var found = html.match(/<title>([\s\S]*?)<\/title>/); - var page_title = found[1]; + // Unencode HTML entities so it's suitable for document.title. We + // only care about the ones encoded by the template's html_filter. + var map = { + '&': '&', + '>': '>', + '<': '<', + '"': '"', + ''': "'" + }; + var page_title = found[1].replace(/&(amp|lt|gt|quot|#39);/g, function(m) { + return map[m]; + }); + fixmystreet.page = 'report'; $('.big-hide-pins-link').hide(); |