Merge branch 'stable' of gitlab.com:participa/noosfero into stable

Evandro Junior
2 parents 7a09f62f 3a9e3895
Showing 37 changed files with 263 additions and 107 deletions Show diff stats
app/controllers/public/search_controller.rb
app/helpers/blog_helper.rb
app/models/article.rb
app/models/blog.rb
app/views/cms/_blog.html.erb
app/views/content_viewer/blog_page.html.erb
app/views/features/manage_fields.html.erb
lib/noosfero/api/entities.rb
lib/noosfero/api/v1/articles.rb
lib/sanitize_params.rb
plugins/google_analytics/lib/ext/profile.rb
plugins/google_analytics/lib/google_analytics_plugin.rb
plugins/google_analytics/test/functional/profile_editor_controller_test.rb
plugins/google_analytics/test/unit/google_analytics_plugin_test.rb
plugins/google_analytics/views/profile-editor-extras.html.erb
plugins/google_analytics/views/profile-editor-extras.rhtml
plugins/google_analytics/views/tracking-code.html.erb
plugins/google_analytics/views/tracking-code.rhtml
plugins/proposals_discussion
plugins/send_email/controllers/send_email_plugin_base_controller.rb
@@ -3,7 +3,10 @@ class SearchController &lt; PublicController
   helper TagsHelper
   include SearchHelper
   include ActionView::Helpers::NumberHelper
+  include SanitizeParams
+
+  before_filter :sanitize_params
   before_filter :redirect_asset_param, :except => [:assets, :suggestions]
   before_filter :load_category, :except => :suggestions
   before_filter :load_search_assets, :except => :suggestions
@@ -17,28 +17,28 @@ module BlogHelper
     _('Configure blog')
   end
-  def list_posts(articles, format = 'full', paginate = true)
+  def list_posts(articles, conf = { format: 'full', paginate: true })
     pagination = will_paginate(articles, {
       :param_name => 'npage',
       :previous_label => _('&laquo; Newer posts'),
       :next_label => _('Older posts &raquo;'),
       :params => {:action=>"view_page", :page=>articles.first.parent.path.split('/'), :controller=>"content_viewer"}
-    }) if articles.present? && paginate
+    }) if articles.present? && conf[:paginate]
     content = []
     artic_len = articles.length
     articles.each_with_index{ |art,i|
-      css_add = [ 'position-'+(i+1).to_s() ]
+      css_add = [ 'blog-post', 'position-'+(i+1).to_s() ]
       position = (i%2 == 0) ? 'odd-post' : 'even-post'
       css_add << 'first' if i == 0
       css_add << 'last'  if i == (artic_len-1)
       css_add << 'not-published' if !art.published?
-      css_add << position + '-inner'
-      content << content_tag('div',
-                             content_tag('div',
-                                         display_post(art, format).html_safe + '<br style="clear:both"/>'.html_safe,
-                                         :class => 'blog-post ' + css_add.join(' '),
-                                         :id => "post-#{art.id}"), :class => position
-                            )
+      css_add << position
+      content << (content_tag 'div', id: "post-#{art.id}", class: css_add do
+        content_tag 'div', class: position + '-inner blog-post-inner' do
+          display_post(art, conf[:format]).html_safe +
+          '<br style="clear:both"/>'.html_safe
+        end
+      end)
     }
     content.join("\n<hr class='sep-posts'/>\n") + (pagination or '')
   end
@@ -46,7 +46,16 @@ module BlogHelper
   def display_post(article, format = 'full')
     no_comments = (format == 'full') ? false : true
     title = article_title(article, :no_comments => no_comments)
-    html = send("display_#{format}_format", FilePresenter.for(article)).html_safe
+    method = "display_#{format.split('+')[0]}_format"
+    html = send(method, FilePresenter.for(article)).html_safe
+    if format.split('+')[1] == 'pic'
+      img = article.first_image
+      if img.blank?
+        '<div class="post-pic empty"></div>'
+      else
+        '<div class="post-pic" style="background-image:url('+img+')"></div>'
+      end
+    end.to_s +
     title + html
   end
@@ -784,7 +784,9 @@ class Article &lt; ActiveRecord::Base
   end
   def first_image
-    img = Nokogiri::HTML.fragment(self.lead.to_s).css('img[src]').first || Nokogiri::HTML.fragment(self.body.to_s).search('img').first
+    img = ( image.present? && { 'src' => image.public_filename } ) ||
+          Nokogiri::HTML.fragment(self.lead.to_s).css('img[src]').first ||
+          Nokogiri::HTML.fragment(self.body.to_s).search('img').first
     img.nil? ? '' : img['src']
   end
@@ -76,7 +76,7 @@ class Blog &lt; Folder
   end
   settings_items :visualization_format, :type => :string, :default => 'full'
-  validates_inclusion_of :visualization_format, :in => [ 'full', 'short' ], :if => :visualization_format
+  validates_inclusion_of :visualization_format, :in => [ 'full', 'short', 'short+pic' ], :if => :visualization_format
   settings_items :display_posts_in_current_language, :type => :boolean, :default => false
@@ -64,7 +64,11 @@
   <%= labelled_check_box(_('Remove cover image'),'remove_image',true,false)%>
 <% end %>
-<%= labelled_form_field(_('How to display posts:'), f.select(:visualization_format, [ [ _('Full post'), 'full'], [ _('First paragraph'), 'short'] ])) %>
+<%= labelled_form_field(_('How to display posts:'), f.select(:visualization_format, [
+  [ _('Full post'), 'full'],
+  [ _('First paragraph'), 'short'],
+  [ _('First paragraph, with post picture'), 'short+pic']
+])) %>
 <%= labelled_form_field(_('Posts per page:'), f.select(:posts_per_page, Blog.posts_per_page_options)) %>
@@ -18,6 +18,9 @@
      format = inside_block.visualization_format
      paginate = false
    end
-   (blog.empty? ? content_tag('em', _('(no posts)')) : list_posts(posts, format, paginate))
+   (blog.empty? ?
+     content_tag('em', _('(no posts)')) :
+     list_posts(posts, format: format, paginate: paginate)
+   )
   %>
 </div>
 <h1><%= _('Manage fields displayed for profiles') %></h1>
+<%= javascript_include_tag "manage-fields.js" %>
+
 <% tabs = [] %>
 <% tabs << {:title => _("Person's fields"), :id => 'person-fields',
   :content => (render :partial => 'manage_person_fields')} %>
@@ -11,5 +13,3 @@
 <% end %>
 <%= render_tabs(tabs) %>
-
-<%= javascript_include_tag "manage-fields.js" %>
@@ -53,9 +53,11 @@ module Noosfero
         expose :image, :using => Image
       end
-      class ArticleChild < Entity
+      class ArticleBase < Entity
         root 'articles', 'article'
-        expose :id, :body, :abstract
+        expose :id
+        expose :body
+        expose :abstract
         expose :created_at, :format_with => :timestamp
         expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
         expose :created_by, :as => :author, :using => Profile
@@ -64,18 +66,10 @@ module Noosfero
         expose :image, :using => Image
       end
-      class Article < Entity
+      class Article < ArticleBase
         root 'articles', 'article'
-        expose :id, :body, :abstract
-        expose :created_at, :format_with => :timestamp
-        expose :title, :documentation => {:type => "String", :desc => "Title of the article"}
-        expose :created_by, :as => :author, :using => Profile
-        expose :profile, :using => Profile
-        expose :categories, :using => Category
-        # FIXME: create a method that overrides expose and include conditions for return attributes
-        expose :parent, :using => Article
-        expose :children, :using => ArticleChild
-        expose :image, :using => Image
+        expose :parent, :using => ArticleBase
+        expose :children, :using => ArticleBase
       end
       class Comment < Entity
@@ -71,7 +71,7 @@ module Noosfero
             if !article.save
               render_api_errors!(article.errors.full_messages)
             end
-            present article, :with => Entities::Article
+            present article, :with => Entities::Article, :fields => params[:fields]
           end
@@ -110,7 +110,7 @@ module Noosfero
                 if !article.save
                   render_api_errors!(article.errors.full_messages)
                 end
-                present article, :with => Entities::Article
+                present article, :with => Entities::Article, :fields => params[:fields]
               end
             end
@@ -149,7 +149,7 @@ module Noosfero
                 if !article.save
                   render_api_errors!(article.errors.full_messages)
                 end
-                present article, :with => Entities::Article
+                present article, :with => Entities::Article, :fields => params[:fields]
               end
             end
@@ -188,7 +188,7 @@ module Noosfero
                 if !article.save
                   render_api_errors!(article.errors.full_messages)
                 end
-                present article, :with => Entities::Article
+                present article, :with => Entities::Article, :fields => params[:fields]
               end
             end
@@ -0,0 +1,34 @@
+module SanitizeParams
+
+  protected
+
+  # Check each request parameter for 
+  # improper HTML or Script tags
+  def sanitize_params
+    request.params.each { |k, v|
+      if v.is_a?(String)        
+        params[k] = sanitize_param v
+      elsif v.is_a?(Array)
+        params[k] = sanitize_array v
+      end
+    }
+  end
+
+  # If the parameter was an array, 
+  # try to sanitize each element in the array
+  def sanitize_array(array)
+    array.map! { |e| 
+      if e.is_a?(String)
+        sanitize_param e
+      end
+    }
+    return array
+  end
+
+  # Santitize a single value
+  def sanitize_param(value)
+    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+  end
+
+end    
@@ -2,4 +2,9 @@ require_dependency &#39;profile&#39;
 class Profile
   settings_items :google_analytics_profile_id
+  attr_accessible :google_analytics_profile_id
+
+  descendants.each do |descendant|
+    descendant.attr_accessible :google_analytics_profile_id
+  end
 end
@@ -19,12 +19,15 @@ class GoogleAnalyticsPlugin &lt; Noosfero::Plugin
   def head_ending
     unless profile_id.blank?
-      expanded_template('tracking-code.rhtml',{:profile_id => profile_id})
+      expanded_template('tracking-code.html.erb',{:profile_id => profile_id})
     end
   end
   def profile_editor_extras
-    expanded_template('profile-editor-extras.rhtml',{:profile_id => profile_id})
+    analytics_id = profile_id
+    lambda {
+      render :file => 'profile-editor-extras', :locals => { :profile_id => analytics_id }
+    }
   end
 end
@@ -0,0 +1,31 @@
+require 'test_helper'
+require 'profile_editor_controller'
+
+# Re-raise errors caught by the controller.
+class ProfileEditorController; def rescue_action(e) raise e end; end
+
+class ProfileEditorControllerTest < ActionController::TestCase
+
+  def setup
+    @controller = ProfileEditorController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    @profile = create_user('default_user').person
+    login_as(@profile.identifier)
+    Environment.default.enable_plugin(GoogleAnalyticsPlugin.name)
+  end
+
+  attr_accessor :profile
+
+  should 'add extra fields to profile editor info and settings' do
+    get :edit, :profile => profile.identifier
+    assert_tag_in_string @response.body, :tag => 'label', :content => /Google Analytics/,  :attributes => { :for => 'profile_data_google_analytics_profile_id' }
+    assert_tag_in_string @response.body, :tag => 'input', :attributes => { :id => 'profile_data_google_analytics_profile_id' }
+  end
+
+  should 'save code filled in on field' do
+    post :edit, :profile => profile.identifier, :profile_data => {:google_analytics_profile_id => 12345678}
+    assert_equal '12345678', Person.find(profile.id).google_analytics_profile_id
+  end
+
+end
@@ -27,11 +27,6 @@ class GoogleAnalyticsPluginTest &lt; ActiveSupport::TestCase
     assert_equal 'content', @plugin.head_ending
   end
-  should 'add extra fields to profile editor info and settings' do
-    assert_tag_in_string @plugin.profile_editor_extras,
-      :tag => 'input', :attributes => {:id => 'profile_data_google_analytics_profile_id', :value => 10}
-  end
-
   should 'extends Profile with attr google_analytics_profile_id' do
     assert_respond_to Profile.new, :google_analytics_profile_id
   end
@@ -0,0 +1,3 @@
+<h2><%= c_('Statistics') %></h2>
+<%= labelled_form_field(_('Google Analytics Profile ID'), text_field(:profile_data, :google_analytics_profile_id, :value => profile_id)) %>
+<%= link_to(_('See how to configure statistics for your profile'), '/doc/plugins/google_analytics', :target => '_blank') %>
@@ -1,5 +0,0 @@
-<% extend ApplicationHelper %>
-
-<h2><%= c_('Statistics') %></h2>
-<%= labelled_form_field(_('Google Analytics Profile ID'), text_field(:profile_data, :google_analytics_profile_id, :value => profile_id)) %>
-<%= link_to(_('See how to configure statistics for your profile'), '/doc/plugins/google_analytics', :target => '_blank') %>
@@ -0,0 +1,9 @@
+<script>
+  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
+  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
+  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
+  })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
+
+  ga('create', '<%= escape_javascript locals[:profile_id] %>', 'auto');
+  ga('send', 'pageview');
+</script>
@@ -1,10 +0,0 @@
-<script type="text/javascript">
-  var _gaq = _gaq || [];
-  _gaq.push(['_setAccount', '<%= escape_javascript locals[:profile_id] %>']);
-  _gaq.push(['_trackPageview']);
-  (function() {
-    var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
-    ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
-    var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
-  })();
-</script>
-Subproject commit 32e6b1fef12caf0eb674f516a39ac88ea418bd82
+Subproject commit 3a32ff13a05df2d443410642172c2a4df1585ca1
@@ -11,7 +11,8 @@ module SendEmailPluginBaseController
       )
       @mail.subject = params[:subject] unless params[:subject].blank?
       if @mail.valid?
-        SendEmailPlugin::Sender.send_message(request.referer, @context_url, @mail).deliver
+        @referer = request.referer
+        SendEmailPlugin::Sender.send_message(@referer, @context_url, @mail).deliver
         if request.xhr?
           render :text => _('Message sent')
         else
@@ -16,9 +16,9 @@ class SendEmailPlugin &lt; Noosfero::Plugin
   def parse_content(html, source)
     if context.profile
-      html.gsub!(/\{sendemail\}/, "/profile/#{context.profile.identifier}/plugin/send_email/deliver")
+      html.gsub!(/({|%7[Bb])sendemail(}|%7[Dd])/, "/profile/#{context.profile.identifier}/plugin/send_email/deliver")
     else
-      html.gsub!(/\{sendemail\}/, '/plugin/send_email/deliver')
+      html.gsub!(/({|%7[Bb])sendemail(}|%7[Dd])/, '/plugin/send_email/deliver')
     end
     [html, source]
   end
@@ -10,12 +10,11 @@ class SendEmailPlugin::Mail
   validate :recipients_format
   def initialize(attributes = {:subject => 'New mail'})
-    @environment = attributes[:environment]
-    @from = attributes[:from]
-    @to = attributes[:to]
-    @subject = attributes[:subject]
-    @message = attributes[:message]
-    @params = attributes[:params]
+    if attributes
+      attributes.each do |attr,value|
+        self.send("#{attr}=", value)
+      end
+    end
   end
   def recipients_format
@@ -36,7 +35,7 @@ class SendEmailPlugin::Mail
   end
   def params=(value = {})
-    [:action, :controller, :to, :message, :subject, :from].each{|k| value.delete(k)}
+    [:profile, :action, :controller, :to, :message, :subject, :from, :commit].each{|k| value.delete(k)}
     @params = value
   end
@@ -7,9 +7,9 @@ class SendEmailPlugin::Sender &lt; Noosfero::Plugin::MailerBase
     @params = mail.params
     mail(
+      content_type: 'text/plain',
       to: mail.to,
       from: mail.from,
-      body: mail.params,
       subject: "[#{mail.environment.name}] #{mail.subject}"
     )
   end
@@ -54,6 +54,13 @@ def run_common_tests
     post :deliver, @extra_args.merge(:to => 'john@example.com', :message => 'Hi john', :subject => 'Hello john')
     assert_equal '[Colivre.net] Hello john', ActionMailer::Base.deliveries.first.subject
   end
+
+  should 'deliver mail with message from view' do
+    Environment.any_instance.stubs(:send_email_plugin_allow_to).returns('john@example.com')
+    post :deliver, @extra_args.merge(:to => 'john@example.com', :message => 'Hi john', :subject => 'Hello john')
+    assert_match /Contact from/, ActionMailer::Base.deliveries.first.body.to_s
+  end
+
 end
 class SendEmailPluginProfileControllerTest < ActionController::TestCase
@@ -15,12 +15,14 @@ class SendEmailPluginSenderTest &lt; ActiveSupport::TestCase
   end
   should 'be able to deliver mail' do
+    @mail.expects(:params).returns({})
     response = SendEmailPlugin::Sender.send_message("http://localhost/contact", 'http//profile', @mail)
     assert_equal 'noreply@localhost', response.from.join
     assert_equal "[Noosfero] #{@mail.subject}", response.subject
   end
   should 'deliver mail to john@example.com' do
+    @mail.expects(:params).returns({})
     response = SendEmailPlugin::Sender.send_message("http://localhost/contact", 'http//profile', @mail)
     assert_equal ['john@example.com'], response.to
   end
@@ -26,4 +26,12 @@ class SendEmailPluginTest &lt; ActiveSupport::TestCase
     assert_match /profile\/#{@plugin.context.profile.identifier}\/plugin\/send_email\/deliver/, @plugin.parse_content("expand this macro {sendemail}", nil).first
   end
+  should 'expand macro used on form on profile context' do
+    profile = fast_create(Community)
+    @plugin.context.stubs(:profile).returns(profile)
+    article = RawHTMLArticle.create!(:name => 'Raw HTML', :body => "<form action='{sendemail}'></form>", :profile => profile)
+
+    assert_match /profile\/#{profile.identifier}\/plugin\/send_email\/deliver/, @plugin.parse_content(article.to_html, nil).first
+  end
+
 end
@@ -1,8 +0,0 @@
-<%= _('Contact from %s') % @referer %>
-
-<%= word_wrap(@message || @mail.message) %>
-<% (@params || @mail.params).each_pair do |key, value| %>
-<%= key %>: <%= word_wrap(value) %>
-<% end %>
----
-<%= url_for @context_url %>
@@ -0,0 +1,9 @@
+<%= _('Contact from %s') % @referer %>
+
+<%= word_wrap(@message || @mail.message) %>
+
+<% (@params || @mail.params).each_pair do |key, value| %>
+<%= key %>: <%= word_wrap(value) %>
+<% end %>
+---
+<%= url_for @context_url %>
@@ -2,7 +2,7 @@
 <table class='sendemail-plugin-message-sent'>
   <tr><td class='label'><strong><%= c_('Subject') %>:</strong></td><td class='value'><em><%=h @mail.subject %></em></td></tr>
-  <tr><td class='label'><strong><%= c_('Message') %>:</strong></td><td class='value'><pre><%=h render :file => 'send_email_plugin/sender/message' %></pre></td></tr>
+  <tr><td class='label'><strong><%= c_('Message') %>:</strong></td><td class='value'><pre><%=h render :file => 'send_email_plugin/sender/send_message' %></pre></td></tr>
 </table>
 <p><%= button :back, c_('Back'), :back %></p>
@@ -57,7 +57,7 @@ jQuery(document).ready(function(){
       }
       var checkbox = jQuery(checkboxes[i+3]).attr("id").split("_")
-      jQuery("#" + checkbox.first() + "_" + checkbox.last()).attr("checked", allchecked)
+      jQuery("#" + checkbox[0] + "_" + checkbox[checkbox.length-1]).attr("checked", allchecked)
     }
   }
@@ -74,10 +74,10 @@ jQuery(document).ready(function(){
   jQuery("input[type='checkbox']").click(function (){
     var checkbox = jQuery(this).attr("id").split("_")
-    verify_checked(checkbox.first())
+    verify_checked(checkbox[0])
     if(this.checked == false) {
-      jQuery("#" + checkbox.first() + "_" + checkbox.last()).attr("checked", false)
+      jQuery("#" + checkbox[0] + "_" + checkbox[checkbox.length-1]).attr("checked", false)
     }
   })
 })
-Subproject commit 3cf28fe31f56dea7d695e6a619fd211b05be5f5d
+Subproject commit 318967386e6f99b0debb2e3a9076bae3502e65fc
@@ -1502,6 +1502,14 @@ a.comment-picture {
 #content .title {
   margin-bottom: 2px;
 }
+.blog-post .post-pic {
+  background-position: 50% 40%;
+  background-size: cover;
+  height: 150px;
+}
+.blog-post .post-pic.empty {
+  display: none;
+}
 .metadata, .blog-post .metadata {
   display: block;
   text-align: center;
@@ -55,7 +55,7 @@ do_restart() {
   environments_loop start
   clear_cache
-  ruby -S bundle exec thin -C config/thin.yml restart --onebyone
+  RUBY_GC_MALLOC_LIMIT=250000000 RUBY_HEAP_MIN_SLOTS=800000 RUBY_FREE_MIN=32768 ruby -S bundle exec thin -C config/thin.yml restart --onebyone
 }
 stop_via_pid_file() {
@@ -85,7 +85,9 @@ environments_loop() {
 }
 do_running() {
-  pgrep -u noosfero -f 'thin server' > /dev/null
+  pids=$(sed "s/.*/& /" tmp/pids/thin.*.pid | tr -d '\n' 2>/dev/null || true)
+  # passes if any of $pids exist, fails otherwise
+  kill -0 $pids > /dev/null 2>&1
 }
 case "$ACTION" in
@@ -780,6 +780,20 @@ class ContentViewerControllerTest &lt; ActionController::TestCase
     assert_no_tag :tag => 'div', :attributes => { :class => 'short-post'}, :content => /Anything/
   end
+  should 'show only first paragraph with picture of posts if visualization_format is short+pic' do
+    login_as(profile.identifier)
+
+    blog = Blog.create!(:name => 'A blog test', :profile => profile, :visualization_format => 'short+pic')
+
+    blog.posts << TinyMceArticle.create!(:name => 'first post', :parent => blog, :profile => profile, :body => '<p>Content to be displayed.</p> <img src="pic.jpg">')
+
+    get :view_page, :profile => profile.identifier, :page => blog.path
+
+    assert_select '.blog-post .post-pic' do |el|
+      assert_match /background-image:url\(pic.jpg\)/, el.to_s
+    end
+  end
+
   should 'display link to edit blog for allowed' do
     blog = fast_create(Blog, :profile_id => profile.id, :path => 'blog')
     login_as(profile.identifier)
@@ -769,6 +769,22 @@ class SearchControllerTest &lt; ActionController::TestCase
     assert_equivalent [t1,t2,c1,c2,c3,c4] , assigns(:searches)[:communities][:results]
   end
+  should 'not allow query injection' do
+    injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam'
+    get :tag, :tag => injection
+    tag = assigns(:tag)
+    assert !tag.upcase.include?('IMG') && tag.include?('SearchParam')
+  end
+
+  should 'not allow query injection array' do
+    injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', '<script>document.innerHTML = \'x\'</script>']
+    get :tag, :tag => injection
+    tag = assigns(:tag)
+    tag.each { |t| 
+      assert !t.upcase.include?('IMG') && !t.upcase.include?('SCRIPT') 
+    }
+  end
+
   protected
   def create_event(profile, options)
@@ -1715,6 +1715,18 @@ class ArticleTest &lt; ActiveSupport::TestCase
     assert_equal 'bar.png', a.first_image
   end
+  should 'get first image from having_image' do
+    a = fast_create(Article,
+      :body => '<p>Foo</p><p><img src="bar.png" /></p>',
+      :abstract => '<p>Lead</p><p><img src="lead.png" /></p>'
+    )
+    img = {}
+    img.expects(:present?).returns true
+    img.expects(:public_filename).returns 'pic.jpg'
+    a.expects(:image).at_least_once.returns img
+    assert_equal 'pic.jpg', a.first_image
+  end
+
   should 'not get first image from anywhere' do
     a = fast_create(Article, :body => '<p>Foo</p><p>Bar</p>')
     assert_equal '', a.first_image
@@ -20,30 +20,36 @@ class BlogHelperTest &lt; ActionView::TestCase
   def _(s); s; end
   def h(s); s; end
-  should 'list published posts with class blog-post' do
-    blog.children << published_post = create(TextileArticle, :name => 'Post', :profile => profile, :parent => blog, :published => true)
-
-    expects(:display_post).with(anything, anything).returns('POST')
-    expects(:content_tag).with('div', "POST<br style=\"clear:both\"/>", :class => 'blog-post position-1 first last odd-post-inner', :id => "post-#{published_post.id}").returns('POST')
-    expects(:content_tag).with('div', 'POST', {:class => 'odd-post'}).returns('RESULT')
-
-    assert_equal 'RESULT', list_posts(blog.posts)
-  end
-
-  should 'list even/odd posts with a different class' do
-    blog.children << older_post = create(TextileArticle, :name => 'First post', :profile => profile, :parent => blog, :published => true)
-
-    blog.children << newer_post = create(TextileArticle, :name => 'Second post', :profile => profile, :parent => blog, :published => true)
-
-    expects(:display_post).with(anything, anything).returns('POST').times(2)
-
-    expects(:content_tag).with('div', "POST<br style=\"clear:both\"/>", :class => 'blog-post position-1 first odd-post-inner', :id => "post-#{newer_post.id}").returns('POST 1')
-    expects(:content_tag).with('div', "POST 1", :class => 'odd-post').returns('ODD-POST')
-
-    expects(:content_tag).with('div', "POST<br style=\"clear:both\"/>", :class => 'blog-post position-2 last even-post-inner', :id => "post-#{older_post.id}").returns('POST 2')
-    expects(:content_tag).with('div', "POST 2", :class => 'even-post').returns('EVEN-POST')
-
-    assert_equal "ODD-POST\n<hr class='sep-posts'/>\nEVEN-POST", list_posts(blog.posts)
+  should 'list blog posts with identifiers and classes' do
+    blog.children << older_post = create(TextileArticle, :name => 'First post',
+                     :profile => profile, :parent => blog, :published => true)
+    blog.children << some_post = create(TextileArticle, :name => 'Some post',
+                     :profile => profile, :parent => blog, :published => true)
+    blog.children << hidden_post = create(TextileArticle, :name => 'Hidden post',
+                     :profile => profile, :parent => blog, :published => false)
+    blog.children << newer_post = create(TextileArticle, :name => 'Last post',
+                     :profile => profile, :parent => blog, :published => true)
+
+    def content_tag(tag, content_or_options_with_block = nil, options = nil, &block)
+      if block_given?
+        options = content_or_options_with_block
+        content = block.call
+      else
+        content = content_or_options_with_block
+      end
+      options ||= {}
+      "<#{tag}#{options.map{|k,v| " #{k}=\"#{[v].flatten.join(' ')}\""}.join}>#{content}</#{tag}>"
+    end
+
+    html = HTML::Document.new(list_posts(blog.posts)).root
+    assert_select html, "div#post-#{newer_post.id}.blog-post.position-1.first.odd-post" +
+                        " > div.odd-post-inner.blog-post-inner > .title", 'Last post'
+    assert_select html, "div#post-#{hidden_post.id}.blog-post.position-2.not-published.even-post" +
+                        " > div.even-post-inner.blog-post-inner > .title", 'Hidden post'
+    assert_select html, "div#post-#{some_post.id}.blog-post.position-3.odd-post" +
+                        " > div.odd-post-inner.blog-post-inner > .title", 'Some post'
+    assert_select html, "div#post-#{older_post.id}.blog-post.position-4.last.even-post" +
+                        " > div.even-post-inner.blog-post-inner > .title", 'First post'
   end
	@@ -76,7 +76,7 @@ class Blog < Folder		@@ -76,7 +76,7 @@ class Blog < Folder
76	end	76	end
77		77
78	settings_items :visualization_format, :type => :string, :default => 'full'	78	settings_items :visualization_format, :type => :string, :default => 'full'
79	- validates_inclusion_of :visualization_format, :in => [ 'full', 'short' ], :if => :visualization_format	79	+ validates_inclusion_of :visualization_format, :in => [ 'full', 'short', 'short+pic' ], :if => :visualization_format
80		80
81	settings_items :display_posts_in_current_language, :type => :boolean, :default => false	81	settings_items :display_posts_in_current_language, :type => :boolean, :default => false
82		82
	@@ -71,7 +71,7 @@ module Noosfero		@@ -71,7 +71,7 @@ module Noosfero
71	if !article.save	71	if !article.save
72	render_api_errors!(article.errors.full_messages)	72	render_api_errors!(article.errors.full_messages)
73	end	73	end
74	- present article, :with => Entities::Article	74	+ present article, :with => Entities::Article, :fields => params[:fields]
75	end	75	end
76		76
77		77
	@@ -110,7 +110,7 @@ module Noosfero		@@ -110,7 +110,7 @@ module Noosfero
110	if !article.save	110	if !article.save
111	render_api_errors!(article.errors.full_messages)	111	render_api_errors!(article.errors.full_messages)
112	end	112	end
113	- present article, :with => Entities::Article	113	+ present article, :with => Entities::Article, :fields => params[:fields]
114	end	114	end
115		115
116	end	116	end
	@@ -149,7 +149,7 @@ module Noosfero		@@ -149,7 +149,7 @@ module Noosfero
149	if !article.save	149	if !article.save
150	render_api_errors!(article.errors.full_messages)	150	render_api_errors!(article.errors.full_messages)
151	end	151	end
152	- present article, :with => Entities::Article	152	+ present article, :with => Entities::Article, :fields => params[:fields]
153	end	153	end
154		154
155	end	155	end
	@@ -188,7 +188,7 @@ module Noosfero		@@ -188,7 +188,7 @@ module Noosfero
188	if !article.save	188	if !article.save
189	render_api_errors!(article.errors.full_messages)	189	render_api_errors!(article.errors.full_messages)
190	end	190	end
191	- present article, :with => Entities::Article	191	+ present article, :with => Entities::Article, :fields => params[:fields]
192	end	192	end
193		193
194	end	194	end
@@ -0,0 +1,34 @@		@@ -0,0 +1,34 @@
	1	+module SanitizeParams
	2	+
	3	+ protected
	4	+
	5	+ # Check each request parameter for
	6	+ # improper HTML or Script tags
	7	+ def sanitize_params
	8	+ request.params.each { \|k, v\|
	9	+ if v.is_a?(String)
	10	+ params[k] = sanitize_param v
	11	+ elsif v.is_a?(Array)
	12	+ params[k] = sanitize_array v
	13	+ end
	14	+ }
	15	+ end
	16	+
	17	+ # If the parameter was an array,
	18	+ # try to sanitize each element in the array
	19	+ def sanitize_array(array)
	20	+ array.map! { \|e\|
	21	+ if e.is_a?(String)
	22	+ sanitize_param e
	23	+ end
	24	+ }
	25	+ return array
	26	+ end
	27	+
	28	+ # Santitize a single value
	29	+ def sanitize_param(value)
	30	+ allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
	31	+ ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
	32	+ end
	33	+
	34	+end
	@@ -2,4 +2,9 @@ require_dependency 'profile'		@@ -2,4 +2,9 @@ require_dependency 'profile'
2		2
3	class Profile	3	class Profile
4	settings_items :google_analytics_profile_id	4	settings_items :google_analytics_profile_id
		5	+ attr_accessible :google_analytics_profile_id
		6	+
		7	+ descendants.each do \|descendant\|
		8	+ descendant.attr_accessible :google_analytics_profile_id
		9	+ end
5	end	10	end
@@ -0,0 +1,31 @@		@@ -0,0 +1,31 @@
	1	+require 'test_helper'
	2	+require 'profile_editor_controller'
	3	+
	4	+# Re-raise errors caught by the controller.
	5	+class ProfileEditorController; def rescue_action(e) raise e end; end
	6	+
	7	+class ProfileEditorControllerTest < ActionController::TestCase
	8	+
	9	+ def setup
	10	+ @controller = ProfileEditorController.new
	11	+ @request = ActionController::TestRequest.new
	12	+ @response = ActionController::TestResponse.new
	13	+ @profile = create_user('default_user').person
	14	+ login_as(@profile.identifier)
	15	+ Environment.default.enable_plugin(GoogleAnalyticsPlugin.name)
	16	+ end
	17	+
	18	+ attr_accessor :profile
	19	+
	20	+ should 'add extra fields to profile editor info and settings' do
	21	+ get :edit, :profile => profile.identifier
	22	+ assert_tag_in_string @response.body, :tag => 'label', :content => /Google Analytics/, :attributes => { :for => 'profile_data_google_analytics_profile_id' }
	23	+ assert_tag_in_string @response.body, :tag => 'input', :attributes => { :id => 'profile_data_google_analytics_profile_id' }
	24	+ end
	25	+
	26	+ should 'save code filled in on field' do
	27	+ post :edit, :profile => profile.identifier, :profile_data => {:google_analytics_profile_id => 12345678}
	28	+ assert_equal '12345678', Person.find(profile.id).google_analytics_profile_id
	29	+ end
	30	+
	31	+end
@@ -0,0 +1,3 @@		@@ -0,0 +1,3 @@
	1	+<h2><%= c_('Statistics') %></h2>
	2	+<%= labelled_form_field(_('Google Analytics Profile ID'), text_field(:profile_data, :google_analytics_profile_id, :value => profile_id)) %>
	3	+<%= link_to(_('See how to configure statistics for your profile'), '/doc/plugins/google_analytics', :target => '_blank') %>
	@@ -1,5 +0,0 @@	@@ -1,5 +0,0 @@
1	-<% extend ApplicationHelper %>
2	-
3	-<h2><%= c_('Statistics') %></h2>
4	-<%= labelled_form_field(_('Google Analytics Profile ID'), text_field(:profile_data, :google_analytics_profile_id, :value => profile_id)) %>
5	-<%= link_to(_('See how to configure statistics for your profile'), '/doc/plugins/google_analytics', :target => '_blank') %>
@@ -0,0 +1,9 @@		@@ -0,0 +1,9 @@
	1	+<script>
	2	+ (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]\|\|function(){
	3	+ (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
	4	+ m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
	5	+ })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
	6	+
	7	+ ga('create', '<%= escape_javascript locals[:profile_id] %>', 'auto');
	8	+ ga('send', 'pageview');
	9	+</script>
	@@ -1,10 +0,0 @@	@@ -1,10 +0,0 @@
1	-<script type="text/javascript">
2	- var _gaq = _gaq \|\| [];
3	- _gaq.push(['_setAccount', '<%= escape_javascript locals[:profile_id] %>']);
4	- _gaq.push(['_trackPageview']);
5	- (function() {
6	- var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
7	- ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
8	- var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
9	- })();
10	-</script>
	@@ -16,9 +16,9 @@ class SendEmailPlugin < Noosfero::Plugin		@@ -16,9 +16,9 @@ class SendEmailPlugin < Noosfero::Plugin
16		16
17	def parse_content(html, source)	17	def parse_content(html, source)
18	if context.profile	18	if context.profile
19	- html.gsub!(/\{sendemail\}/, "/profile/#{context.profile.identifier}/plugin/send_email/deliver")	19	+ html.gsub!(/({\|%7[Bb])sendemail(}\|%7[Dd])/, "/profile/#{context.profile.identifier}/plugin/send_email/deliver")
20	else	20	else
21	- html.gsub!(/\{sendemail\}/, '/plugin/send_email/deliver')	21	+ html.gsub!(/({\|%7[Bb])sendemail(}\|%7[Dd])/, '/plugin/send_email/deliver')
22	end	22	end
23	[html, source]	23	[html, source]
24	end	24	end