From 82b13a21a6ab71027fb21b4555a207cfd398dafb Mon Sep 17 00:00:00 2001
From: Makoto Scott-Hinkle <makoto@teamtreehouse.com>
Date: Mon, 26 Sep 2016 16:47:34 -0700
Subject: [PATCH] Allowing ">" to be used for Milestone models's title and
 storing the value in db as unescaped.

Updating test value for milestone title

Adding API test for title with reserved HTML characters.

Updating changelog

Adding the MR number for fixing bug #22452.

removing duplicate line

Updating MR number.
---
 CHANGELOG                            | 1 +
 app/models/milestone.rb              | 6 +++++-
 spec/models/milestone_spec.rb        | 4 ++--
 spec/requests/api/milestones_spec.rb | 8 ++++++++
 4 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index b4368c2cf9e..ffa1096c058 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -20,6 +20,7 @@ v 8.13.0 (unreleased)
   - Optimize GitHub importing for speed and memory
   - API: expose pipeline data in builds API (!6502, Guilherme Salazar)
   - Fix broken repository 500 errors in project list
+  - Fix unnecessary escaping of reserved HTML characters in milestone title. !6533
 
 v 8.12.4 (unreleased)
 
diff --git a/app/models/milestone.rb b/app/models/milestone.rb
index 2bd7f198030..44c3cbb2c73 100644
--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@@ -158,7 +158,7 @@ class Milestone < ActiveRecord::Base
   end
 
   def title=(value)
-    write_attribute(:title, Sanitize.clean(value.to_s)) if value.present?
+    write_attribute(:title, sanitize_title(value)) if value.present?
   end
 
   # Sorts the issues for the given IDs.
@@ -204,4 +204,8 @@ class Milestone < ActiveRecord::Base
       iid
     end
   end
+
+  def sanitize_title(value)
+    CGI.unescape_html(Sanitize.clean(value.to_s))
+  end
 end
diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb
index d64d6cde2b5..33fe22dd98c 100644
--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@@ -20,10 +20,10 @@ describe Milestone, models: true do
   let(:user) { create(:user) }
 
   describe "#title" do
-    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+    let(:milestone) { create(:milestone, title: "<b>foo & bar -> 2.2</b>") }
 
     it "sanitizes title" do
-      expect(milestone.title).to eq("test")
+      expect(milestone.title).to eq("foo & bar -> 2.2")
     end
   end
 
diff --git a/spec/requests/api/milestones_spec.rb b/spec/requests/api/milestones_spec.rb
index b89dac01040..dd192bea432 100644
--- a/spec/requests/api/milestones_spec.rb
+++ b/spec/requests/api/milestones_spec.rb
@@ -104,6 +104,14 @@ describe API::API, api: true  do
 
       expect(response).to have_http_status(400)
     end
+
+    it 'creates a new project with reserved html characters' do
+      post api("/projects/#{project.id}/milestones", user), title: 'foo & bar 1.1 -> 2.2'
+
+      expect(response).to have_http_status(201)
+      expect(json_response['title']).to eq('foo & bar 1.1 -> 2.2')
+      expect(json_response['description']).to be_nil
+    end
   end
 
   describe 'PUT /projects/:id/milestones/:milestone_id' do
-- 
GitLab