From 5e64f81550744c24b022e3e69a01ba1896735a34 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Aug 26 2015 09:48:41 +0000
Subject: Input that are cleaned via the noJS filter are safe to be displayed


This avoid double encoding to HTML.
noJS has a finite list of HTML tags allowed and everything else will be
escape. If we do not say the content is safe, the output of the noJS will
itself be escaped as well by jinja2.
Thus the sign '<' will be escaped as '&lt;' by noJS and then by jinja2
making it appear as '&lt;' instead of making is appear like '<'.

Fixes https://pagure.io/pagure/issue/336

---

diff --git a/pagure/templates/issue.html b/pagure/templates/issue.html
index 31e7810..cf13032 100644
--- a/pagure/templates/issue.html
+++ b/pagure/templates/issue.html
@@ -37,7 +37,7 @@
 
 <h2>
     <span class="issueid">#{{ issueid }}</span> <span id="issuetitle">{{
-        issue.title | noJS }}</span>
+        issue.title | noJS | safe }}</span>
     {% if authenticated and (repo_admin or g.fas_user.username == issue.user.username) %}
     -  <a href="{{ url_for('edit_issue', username=username,
                   repo=repo.name, issueid=issueid) }}">
diff --git a/pagure/templates/issues.html b/pagure/templates/issues.html
index 3606036..ee0a33b 100644
--- a/pagure/templates/issues.html
+++ b/pagure/templates/issues.html
@@ -84,7 +84,7 @@
             <td>
                 <a href="{{ url_for('view_issue', username=username,
                     repo=repo.name, issueid=issue.id) }}">
-                    {{ issue.title | noJS }}
+                    {{ issue.title | noJS | safe }}
                 </a>
             </td>
             <td>
diff --git a/pagure/templates/pull_request.html b/pagure/templates/pull_request.html
index d79b5f0..099e185 100644
--- a/pagure/templates/pull_request.html
+++ b/pagure/templates/pull_request.html
@@ -26,7 +26,7 @@
 
 {% if pull_request %}
 <div class="header">
-    <h3>Title: {{ pull_request.title | noJS }}</h3>
+    <h3>Title: {{ pull_request.title | noJS | safe }}</h3>
     <ul class="buttons">
   {% if pull_request.status == 'Open' and repo_admin %}
       <li>
diff --git a/pagure/templates/requests.html b/pagure/templates/requests.html
index 03c2671..470d5f4 100644
--- a/pagure/templates/requests.html
+++ b/pagure/templates/requests.html
@@ -56,7 +56,7 @@
             <td>
               <a href="{{ url_for('request_pull', username=username,
                   repo=repo.name, requestid=request.id) }}">
-                {{ request.title | noJS }}
+                {{ request.title | noJS | safe }}
               </a>
             </td>
             <td>