Fix username escaping when clicking 'assign to me'

Add spec for assigning user with apostrophe in name

Fix username escaping when clicking 'assign to me'
6c199005 · E'zeki&el Kigbo · Fatih Acet · b64e261b · 6c199005 · 6c199005
Commit 6c199005 authored 6 years ago by E'zeki&el Kigbo Committed by Fatih Acet 6 years ago
--- a/app/assets/javascripts/users_select.js
+++ b/app/assets/javascripts/users_select.js
@@ -93,23 +93,22 @@ function UsersSelect(currentUser, els, options = {}) {
          }
  
          // Save current selected user to the DOM
-          const input = document.createElement('input');
-          input.type = 'hidden';
-          input.name = $dropdown.data('fieldName');
-
-          const currentUserInfo = $dropdown.data('currentUserInfo');
-
-          if (currentUserInfo) {
-            input.value = currentUserInfo.id;
-            input.dataset.meta = _.escape(currentUserInfo.name);
-          } else if (_this.currentUser) {
-            input.value = _this.currentUser.id;
-          }
+          const currentUserInfo = $dropdown.data('currentUserInfo') || {};
+          const currentUser = _this.currentUser || {};
+          const fieldName = $dropdown.data('fieldName');
+          const userName = currentUserInfo.name;
+          const userId = currentUserInfo.id || currentUser.id;
+
+          const inputHtmlString = _.template(`
+            <input type="hidden" name="<%- fieldName %>"
+              data-meta="<%- userName %>"
+              value="<%- userId %>" />
+            `)({ fieldName, userName, userId });
  
          if ($selectbox) {
-            $dropdown.parent().before(input);
+            $dropdown.parent().before(inputHtmlString);
          } else {
-            $dropdown.after(input);
+            $dropdown.after(inputHtmlString);
          }
        };
  

--- a/changelogs/unreleased/37673-minor-issue-with-apostrophe-single-quote-when-clicking-assign-to-me.yml
+++ b/changelogs/unreleased/37673-minor-issue-with-apostrophe-single-quote-when-clicking-assign-to-me.yml
+---
+title: Fix username escaping when using assign to me for issues
+merge_request: 24673
+author:
+type: fixed
--- a/spec/features/issues/user_creates_issue_spec.rb
+++ b/spec/features/issues/user_creates_issue_spec.rb
@@ -93,4 +93,22 @@ describe "User creates issue" do
      end
    end
  end
+
+  context "when signed in as user with special characters in their name" do
+    let(:user_special) { create(:user, name: "Jon O'Shea") }
+
+    before do
+      project.add_developer(user_special)
+      sign_in(user_special)
+
+      visit(new_project_issue_path(project))
+    end
+
+    it "will correctly escape user names with an apostrophe when clicking 'Assign to me'", :js do
+      first('.assign-to-me-link').click
+
+      expect(page).to have_content(user_special.name)
+      expect(page.find('input[name="issue[assignee_ids][]"]', visible: false)['data-meta']).to eq(user_special.name)
+    end
+  end
 end