proposals_discussion: strip tags in custom body label

Victor Costa
1 parent 0b5543b1
Showing 3 changed files with 55 additions and 1 deletions Show diff stats
test/functional/cms_controller_test.rb
test/functional/content_viewer_controller_test.rb
views/cms/proposals_discussion_plugin/_proposal.html.erb
@@ -0,0 +1,33 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class CmsControllerTest < ActionController::TestCase
+
+  def setup
+    @profile = fast_create(Community)
+
+    @discussion = ProposalsDiscussionPlugin::Discussion.create!(:name => 'test', :profile => @profile)
+    @topic = ProposalsDiscussionPlugin::Topic.create!(:name => 'test', :profile => @profile, :parent => @discussion)
+    @proposal = ProposalsDiscussionPlugin::Proposal.create!(:name => 'test', :profile => @profile, :parent => @topic, :abstract => "Abstract", :body => "Proposal Body")
+
+    user = create_user('testinguser')
+    @profile.add_admin(user.person)
+    login_as(user.login)
+  end
+
+  attr_reader :profile, :proposal, :topic, :discussion
+
+  should 'display custom body label when edit a proposal' do
+    discussion.custom_body_label = "My Custom Label"
+    discussion.save!
+    get :edit, :id => proposal.id, :profile => profile.identifier
+    assert_tag :tag => 'label', :attributes => {:class => 'formlabel'}, :content => 'My Custom Label'
+  end
+
+  should 'escape html tags in custom body label' do
+    discussion.custom_body_label = "My Custom <script>Label</script>"
+    discussion.save!
+    get :edit, :id => proposal.id, :profile => profile.identifier
+    assert_tag :tag => 'label', :attributes => {:class => 'formlabel'}, :content => 'My Custom Label'
+  end
+
+end
@@ -0,0 +1,21 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class ContentViewerControllerTest < ActionController::TestCase
+
+  def setup
+    @profile = fast_create(Community)
+
+    @discussion = ProposalsDiscussionPlugin::Discussion.create!(:name => 'test', :profile => @profile)
+    @topic = ProposalsDiscussionPlugin::Topic.create!(:name => 'test', :profile => @profile, :parent => @discussion)
+    @proposal = ProposalsDiscussionPlugin::Proposal.create!(:name => 'test', :profile => @profile, :parent => @topic, :abstract => "Abstract", :body => "Proposal Body")
+  end
+
+  attr_reader :profile, :proposal, :topic, :discussion
+
+  should 'display custom proposal page' do
+    get :view_page, proposal.url
+    assert_tag :tag => 'div', :attributes => {:class => 'content'}, :content => 'Abstract'
+    assert_tag :tag => 'div', :attributes => {:class => 'content'}, :content => 'Proposal Body'
+  end
+
+end
@@ -23,7 +23,7 @@
  
   <div class="body">
     <% editor_type = 'mceEditor' %>
-    <%= labelled_form_field(@article.topic.discussion.custom_body_label, text_area(:article, :body, :class => editor_type)) %>
+    <%= labelled_form_field(strip_tags(@article.topic.discussion.custom_body_label), text_area(:article, :body, :class => editor_type)) %>
   </div>
 </div>
...	...	@@ -0,0 +1,33 @@
	1	+require File.dirname(__FILE__) + '/../test_helper'
	2	+
	3	+class CmsControllerTest < ActionController::TestCase
	4	+
	5	+ def setup
	6	+ @profile = fast_create(Community)
	7	+
	8	+ @discussion = ProposalsDiscussionPlugin::Discussion.create!(:name => 'test', :profile => @profile)
	9	+ @topic = ProposalsDiscussionPlugin::Topic.create!(:name => 'test', :profile => @profile, :parent => @discussion)
	10	+ @proposal = ProposalsDiscussionPlugin::Proposal.create!(:name => 'test', :profile => @profile, :parent => @topic, :abstract => "Abstract", :body => "Proposal Body")
	11	+
	12	+ user = create_user('testinguser')
	13	+ @profile.add_admin(user.person)
	14	+ login_as(user.login)
	15	+ end
	16	+
	17	+ attr_reader :profile, :proposal, :topic, :discussion
	18	+
	19	+ should 'display custom body label when edit a proposal' do
	20	+ discussion.custom_body_label = "My Custom Label"
	21	+ discussion.save!
	22	+ get :edit, :id => proposal.id, :profile => profile.identifier
	23	+ assert_tag :tag => 'label', :attributes => {:class => 'formlabel'}, :content => 'My Custom Label'
	24	+ end
	25	+
	26	+ should 'escape html tags in custom body label' do
	27	+ discussion.custom_body_label = "My Custom <script>Label</script>"
	28	+ discussion.save!
	29	+ get :edit, :id => proposal.id, :profile => profile.identifier
	30	+ assert_tag :tag => 'label', :attributes => {:class => 'formlabel'}, :content => 'My Custom Label'
	31	+ end
	32	+
	33	+end
...	...
...	...	@@ -0,0 +1,21 @@
	1	+require File.dirname(__FILE__) + '/../test_helper'
	2	+
	3	+class ContentViewerControllerTest < ActionController::TestCase
	4	+
	5	+ def setup
	6	+ @profile = fast_create(Community)
	7	+
	8	+ @discussion = ProposalsDiscussionPlugin::Discussion.create!(:name => 'test', :profile => @profile)
	9	+ @topic = ProposalsDiscussionPlugin::Topic.create!(:name => 'test', :profile => @profile, :parent => @discussion)
	10	+ @proposal = ProposalsDiscussionPlugin::Proposal.create!(:name => 'test', :profile => @profile, :parent => @topic, :abstract => "Abstract", :body => "Proposal Body")
	11	+ end
	12	+
	13	+ attr_reader :profile, :proposal, :topic, :discussion
	14	+
	15	+ should 'display custom proposal page' do
	16	+ get :view_page, proposal.url
	17	+ assert_tag :tag => 'div', :attributes => {:class => 'content'}, :content => 'Abstract'
	18	+ assert_tag :tag => 'div', :attributes => {:class => 'content'}, :content => 'Proposal Body'
	19	+ end
	20	+
	21	+end
...	...
...	...	@@ -23,7 +23,7 @@
23	23
24	24	<div class="body">
25	25	<% editor_type = 'mceEditor' %>
26		- <%= labelled_form_field(@article.topic.discussion.custom_body_label, text_area(:article, :body, :class => editor_type)) %>
	26	+ <%= labelled_form_field(strip_tags(@article.topic.discussion.custom_body_label), text_area(:article, :body, :class => editor_type)) %>
27	27	</div>
28	28	</div>
29	29
...	...