From d6b70ab47bc5be26a9671dfd3a0a3dd9fa044eb4 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Mon, 20 Oct 2014 16:17:39 -0400
Subject: [PATCH] Prepare 1.6.1 release

---
 src/main/java/com/gitblit/wicket/pages/TicketPage.java |   38 ++++++++++++++++++--------------------
 1 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/src/main/java/com/gitblit/wicket/pages/TicketPage.java b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
index f5f63d2..b690e4c 100644
--- a/src/main/java/com/gitblit/wicket/pages/TicketPage.java
+++ b/src/main/java/com/gitblit/wicket/pages/TicketPage.java
@@ -37,7 +37,6 @@
 import org.apache.wicket.PageParameters;
 import org.apache.wicket.RestartResponseException;
 import org.apache.wicket.ajax.AjaxRequestTarget;
-import org.apache.wicket.behavior.IBehavior;
 import org.apache.wicket.behavior.SimpleAttributeModifier;
 import org.apache.wicket.markup.html.basic.Label;
 import org.apache.wicket.markup.html.image.ContextImage;
@@ -249,9 +248,12 @@
 			add(new Label("milestone"));
 		} else {
 			// link to milestone query
-			TicketMilestone milestone = app().tickets().getMilestone(repository, ticket.milestone);
+			TicketMilestone tm = app().tickets().getMilestone(repository, ticket.milestone);
+			if (tm == null) {
+				tm = new TicketMilestone(ticket.milestone);
+			}
 			PageParameters milestoneParameters;
-			if (milestone.isOpen()) {
+			if (tm.isOpen()) {
 				milestoneParameters = WicketUtils.newOpenTicketsParameter(repositoryName);
 			} else {
 				milestoneParameters = WicketUtils.newRepositoryParameter(repositoryName);
@@ -260,10 +262,10 @@
 			int progress = 0;
 			int open = 0;
 			int closed = 0;
-			if (milestone != null) {
-				progress = milestone.getProgress();
-				open = milestone.getOpenTickets();
-				closed = milestone.getClosedTickets();
+			if (tm != null) {
+				progress = tm.getProgress();
+				open = tm.getOpenTickets();
+				closed = tm.getClosedTickets();
 			}
 
 			Fragment milestoneProgress = new Fragment("milestone", "milestoneProgressFragment", this);
@@ -284,7 +286,9 @@
 			desc = getString("gb.noDescriptionGiven");
 		} else {
 			String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.body);
-			desc = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);
+			String html = MarkdownUtils.transformGFM(app().settings(), bugtraq, ticket.repository);
+			String safeHtml = app().xssFilter().relaxed(html);
+			desc = safeHtml;
 		}
 		add(new Label("ticketDescription", desc).setEscapeModelStrings(false));
 
@@ -520,7 +524,8 @@
 		} else {
 			// process the topic using the bugtraq config to link things
 			String topic = bugtraqProcessor().processText(getRepository(), repositoryName, ticket.topic);
-			add(new Label("ticketTopic", topic).setEscapeModelStrings(false));
+			String safeTopic = app().xssFilter().relaxed(topic);
+			add(new Label("ticketTopic", safeTopic).setEscapeModelStrings(false));
 		}
 
 
@@ -681,15 +686,6 @@
 						Label status = new Label("statusChange", entry.getStatus().toString());
 						String css = TicketsUI.getLozengeClass(entry.getStatus(), false);
 						WicketUtils.setCssClass(status, css);
-						for (IBehavior b : status.getBehaviors()) {
-							if (b instanceof SimpleAttributeModifier) {
-								SimpleAttributeModifier sam = (SimpleAttributeModifier) b;
-								if ("class".equals(sam.getAttribute())) {
-									status.add(new SimpleAttributeModifier("class", "status-change " + sam.getValue()));
-									break;
-								}
-							}
-						}
 						frag.add(status);
 						addUserAttributions(frag, entry, avatarWidth);
 						addDateAttributions(frag, entry);
@@ -700,6 +696,7 @@
 						 */
 						String bugtraq = bugtraqProcessor().processText(getRepository(), repositoryName, entry.comment.text);
 						String comment = MarkdownUtils.transformGFM(app().settings(), bugtraq, repositoryName);
+						String safeComment = app().xssFilter().relaxed(comment);
 						Fragment frag = new Fragment("entry", "commentFragment", this);
 						Label commentIcon = new Label("commentIcon");
 						if (entry.comment.src == CommentSource.Email) {
@@ -708,7 +705,7 @@
 							WicketUtils.setCssClass(commentIcon, "iconic-comment-alt2-stroke");
 						}
 						frag.add(commentIcon);
-						frag.add(new Label("comment", comment).setEscapeModelStrings(false));
+						frag.add(new Label("comment", safeComment).setEscapeModelStrings(false));
 						addUserAttributions(frag, entry, avatarWidth);
 						addDateAttributions(frag, entry);
 						item.add(frag);
@@ -969,7 +966,8 @@
 						sb.append("</td></tr>");
 					}
 					sb.append("</tbody></table>");
-					item.add(new Label("fields", sb.toString()).setEscapeModelStrings(false));
+					String safeHtml = app().xssFilter().relaxed(sb.toString());
+					item.add(new Label("fields", safeHtml).setEscapeModelStrings(false));
 				} else {
 					item.add(new Label("fields").setVisible(false));
 				}

--
Gitblit v1.9.1