search

hdgarrood / redmine_release_notes

A plugin to add release notes to Redmine
GNU General Public License v3.0
73 stars 47 forks source link

single quote in the name of a custom field causes sql error #114

Open ogg1e opened 10 years ago

ogg1e commented 10 years ago

If I put a single quote in the custom field name such as:

Doesn't Need Release Notes

We then get errors when going to the version page:

Started GET "/versions/40" for 10.31.31.151 at 2014-06-06 09:14:20 -0300
Processing by VersionsController#show as HTML
  Parameters: {"id"=>"40"}
  Current user: gary.ogden (id=3)
  Rendered versions/_overview.html.erb (18.7ms)
  Rendered versions/_issue_counts.html.erb (4.8ms)
  Rendered plugins/redmine_release_notes/app/views/release_notes/_dashboard.html.erb (10.2ms)
  Rendered plugins/redmine_release_notes/app/views/hooks/release_notes/_version_show_bottom.html.erb (10.7ms)
  Rendered versions/show.html.erb within layouts/base (62.4ms)
Completed 500 Internal Server Error in 98ms

ActionView::Template::Error (Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't Need Release Notes.' ) OR NOT EXISTS (SELECT 1 FROM custom_values WHERE custom' at line 1: SELECT COUNT(DISTINCT `issues`.`id`) FROM `issues` LEFT OUTER JOIN `custom_values` ON `custom_values`.`customized_id` = `issues`.`id` AND `custom_values`.`customized_type` = 'Issue' WHERE `issues`.`fixed_version_id` = 40 AND (( custom_values.custom_field_id = 1 AND custom_values.value = 'Doesn't Need Release Notes.' ) OR NOT EXISTS (SELECT 1 FROM custom_values WHERE custom_values.customized_type = 'Issue' AND custom_values.custom_field_id = 1 AND custom_values.customized_id = issues.id) )):
    1: <% stats = version.release_notes_stats %>
    2: <% cf_none_value =  Setting.plugin_redmine_release_notes[:field_value_not_required] %>
    3: <% cf_name = CustomField.find_by_id(Setting.plugin_redmine_release_notes[:issue_custom_field_id]).name %>
    4:
  lib/redmine/hook.rb:61:in `block (2 levels) in call_hook'
  lib/redmine/hook.rb:61:in `each'
  lib/redmine/hook.rb:61:in `block in call_hook'
  lib/redmine/hook.rb:58:in `tap'
  lib/redmine/hook.rb:58:in `call_hook'
  lib/redmine/hook.rb:158:in `call_hook'
  app/views/versions/show.html.erb:52:in `_app_views_versions_show_html_erb__27142267__627597628'