Fix accidental promotion of label content to HTML and text/HTML confusion in unscoped/scoped labels

Asherah Connorrequested to merge
push-vmtkvqpousxq into master

This is a follow-up to Stop unescaping HTML in BaseLabel#title=, #desc... (!207594 - merged).

This MR fixes accidental promotion of label content to HTML in a few places. We had a load-bearing sanitise which we can now remove, meaning we don't need to corrupt user input. See !207594 (merged) for context.

Before this MR, label_tooltip_title would return text (to be treated as text, escaped if placed into HTML) on non-EE environments, but would return HTML (to be treated as HTML, not escaped) on EE environments! This is calling for trouble. Additionally, the code that would actually cause the returned value to be treated as HTML was located in a completely different part of the codebase! This was super-action-at-a-distance.

We fix the issues by separating LabelsHelper#label_tooltip_title into two methods: label_tooltip_title which returns text, and label_tooltip_title_html which builds on that to return HTML. label_tooltip_title only ever returns text, and not sometime-text/sometimes-HTML.

The non-EE label reference filter calls label_tooltip_title as it did before, and puts that text into the title attribute, to be displayed as a regular, non-HTML tooltip. The EE label reference filter overrides the call to instead go to label_tooltip_title_html (which is overriden in EE::LabelsHelper to add the "scoped label" tag where needed), and likewise overrides the data attribute provider to instruct the frontend to interpret the title attribute as HTML.

A few more places have been cleaned up so that it's clear where arguments are HTML or text.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Asherah Connor

Merge request reports