Fixed improper Markdown escaping for some tooltips

9 files changed, 21 insertions, 9 deletions

diff --git a/app/Helper/TextHelper.php b/app/Helper/TextHelper.php
index 97b12c49..654eb171 100644
--- a/app/Helper/TextHelper.php
+++ b/app/Helper/TextHelper.php
@@ -39,6 +39,18 @@ class TextHelper extends Base
     }
 
     /**
+     * Escape Markdown text that need to be stored in HTML attribute
+     *
+     * @access public
+     * @param  string $text
+     * @return mixed
+     */
+    public function markdownAttribute($text)
+    {
+        return htmlentities($this->markdown($text), ENT_QUOTES, 'UTF-8');
+    }
+
+    /**
      * Format a file size
      *
      * @param  integer  $size        Size in bytes
diff --git a/app/Template/app/projects.php b/app/Template/app/projects.php
index 4ab8b106..733a108d 100644
--- a/app/Template/app/projects.php
+++ b/app/Template/app/projects.php
@@ -31,7 +31,7 @@
 
                 <?= $this->url->link($this->text->e($project['name']), 'board', 'show', array('project_id' => $project['id'])) ?>
                 <?php if (! empty($project['description'])): ?>
-                    <span class="tooltip" title='<?= $this->text->e($this->text->markdown($project['description'])) ?>'>
+                    <span class="tooltip" title="<?= $this->text->markdownAttribute($project['description']) ?>">
                         <i class="fa fa-info-circle"></i>
                     </span>
                 <?php endif ?>
diff --git a/app/Template/board/table_column.php b/app/Template/board/table_column.php
index 48538c88..24abdf99 100644
--- a/app/Template/board/table_column.php
+++ b/app/Template/board/table_column.php
@@ -47,7 +47,7 @@
             </span>
 
             <?php if (! $not_editable && ! empty($column['description'])): ?>
-                <span class="tooltip pull-right" title='<?= $this->text->e($this->text->markdown($column['description'])) ?>'>
+                <span class="tooltip pull-right" title="<?= $this->text->markdownAttribute($column['description']) ?>">
                     &nbsp;<i class="fa fa-info-circle"></i>
                 </span>
             <?php endif ?>
diff --git a/app/Template/board/task_footer.php b/app/Template/board/task_footer.php
index a9d381a3..dd154140 100644
--- a/app/Template/board/task_footer.php
+++ b/app/Template/board/task_footer.php
@@ -11,7 +11,7 @@
                 array('task_id' => $task['id'], 'project_id' => $task['project_id']),
                 false,
                 'popover' . (! empty($task['category_description']) ? ' tooltip' : ''),
-                ! empty($task['category_description']) ? $this->text->markdown($task['category_description']) : t('Change category')
+                ! empty($task['category_description']) ? $this->text->markdownAttribute($task['category_description']) : t('Change category')
             ) ?>
         <?php endif ?>
     </span>
@@ -76,7 +76,7 @@
             <i class="fa fa-flag flag-milestone"></i>
         </span>
     <?php endif ?>
-    
+
     <?= $this->hook->render('template:board:task:icons', array('task' => $task)) ?>
 
     <?= $this->task->formatPriority($project, $task) ?>
diff --git a/app/Template/column/index.php b/app/Template/column/index.php
index eef176f3..6bc67c5a 100644
--- a/app/Template/column/index.php
+++ b/app/Template/column/index.php
@@ -28,7 +28,7 @@
                 <i class="fa fa-arrows-alt draggable-row-handle" title="<?= t('Change column position') ?>"></i>
                 <?= $this->text->e($column['title']) ?>
                 <?php if (! empty($column['description'])): ?>
-                    <span class="tooltip" title='<?= $this->text->e($this->text->markdown($column['description'])) ?>'>
+                    <span class="tooltip" title="<?= $this->text->markdownAttribute($column['description']) ?>">
                         <i class="fa fa-info-circle"></i>
                     </span>
                 <?php endif ?>
diff --git a/app/Template/header.php b/app/Template/header.php
index a8fd47f2..3885e671 100644
--- a/app/Template/header.php
+++ b/app/Template/header.php
@@ -8,7 +8,7 @@
                 <?= $this->text->e($title) ?>
             </span>
             <?php if (! empty($description)): ?>
-                <span class="tooltip" title='<?= $this->text->e($this->text->markdown($description)) ?>'>
+                <span class="tooltip" title="<?= $this->text->markdownAttribute($description) ?>">
                     <i class="fa fa-info-circle"></i>
                 </span>
             <?php endif ?>
diff --git a/app/Template/project/index.php b/app/Template/project/index.php
index 10d4aaa2..0194672a 100644
--- a/app/Template/project/index.php
+++ b/app/Template/project/index.php
@@ -49,7 +49,7 @@
                     <?php endif ?>
 
                     <?php if (! empty($project['description'])): ?>
-                        <span class="tooltip" title='<?= $this->text->e($this->text->markdown($project['description'])) ?>'>
+                        <span class="tooltip" title="<?= $this->text->markdownAttribute($project['description']) ?>">
                             <i class="fa fa-info-circle"></i>
                         </span>
                     <?php endif ?>
diff --git a/app/Template/project/show.php b/app/Template/project/show.php
index 42eeec4d..4aba4919 100644
--- a/app/Template/project/show.php
+++ b/app/Template/project/show.php
@@ -63,7 +63,7 @@
         <td>
             <?= $this->text->e($column['title']) ?>
             <?php if (! empty($column['description'])): ?>
-                <span class="tooltip" title='<?= $this->text->e($this->text->markdown($column['description'])) ?>'>
+                <span class="tooltip" title="<?= $this->text->markdownAttribute($column['description']) ?>">
                     <i class="fa fa-info-circle"></i>
                 </span>
             <?php endif ?>
diff --git a/app/Template/swimlane/table.php b/app/Template/swimlane/table.php
index 17be6924..ec3cb621 100644
--- a/app/Template/swimlane/table.php
+++ b/app/Template/swimlane/table.php
@@ -45,7 +45,7 @@
                 <?= $this->text->e($swimlane['name']) ?>
 
                 <?php if (! empty($swimlane['description'])): ?>
-                    <span class="tooltip" title='<?= $this->text->e($this->text->markdown($swimlane['description'])) ?>'>
+                    <span class="tooltip" title="<?= $this->text->markdownAttribute($swimlane['description']) ?>">
                         <i class="fa fa-info-circle"></i>
                     </span>
                 <?php endif ?>