not escape HTML from newsletter moderation tasks

Joenio Costa
1 parent e73ac0c3
Showing 2 changed files with 34 additions and 3 deletions Show diff stats
plugins/newsletter/test/integration/safe_strings_test.rb
plugins/newsletter/views/tasks/newsletter_plugin/_moderate_newsletter_accept_details.html.erb
@@ -0,0 +1,31 @@
+require 'test_helper'
+
+class NewsletterPluginSafeStringsTest < ActionDispatch::IntegrationTest
+
+  should 'not escape HTML from newsletter pending task' do
+    environment = Environment.default
+    environment.enable_plugin('newsletter')
+    person = create_user('john', :environment_id => environment.id, :password => 'test', :password_confirmation => 'test').person
+    person.user.activate
+    environment.add_admin(person)
+
+    blog = fast_create(Blog, :profile_id => person.id)
+    post = fast_create(TextileArticle, :name => 'First post', :profile_id => person.id, :parent_id => blog.id, :body => 'Test')
+    newsletter = NewsletterPlugin::Newsletter.create!(:environment => environment, :person => person, :enabled => true)
+    newsletter.blog_ids = [blog.id]
+    newsletter.save!
+    task = NewsletterPlugin::ModerateNewsletter.create!(
+      :newsletter_id => newsletter.id,
+      :target => environment,
+      :post_ids => [post.id.to_s]
+    )
+
+    login 'john', 'test'
+    get '/myprofile/john/tasks'
+
+    assert_tag :tag => 'input',
+      :attributes => { :type => 'checkbox', :name => "tasks[#{task.id}][task][post_ids][]" },
+      :sibling => { :tag => 'span' }
+  end
+
+end
@@ -9,9 +9,9 @@
     <% input_name = "tasks[#{task.id}][task][post_ids][]" %>
     <% post_check_box = hidden_field_tag(input_name, '0') +check_box_tag(input_name, post.id, true) %>
  
-    <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1')%>
-    <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1') %>
+    <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1'.html_safe) %>
+    <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1'.html_safe) %>
   <% end %>
  
-  <%= newsletter_content %>
+  <%= newsletter_content.html_safe %>
 </div>
...	...	@@ -0,0 +1,31 @@
	1	+require 'test_helper'
	2	+
	3	+class NewsletterPluginSafeStringsTest < ActionDispatch::IntegrationTest
	4	+
	5	+ should 'not escape HTML from newsletter pending task' do
	6	+ environment = Environment.default
	7	+ environment.enable_plugin('newsletter')
	8	+ person = create_user('john', :environment_id => environment.id, :password => 'test', :password_confirmation => 'test').person
	9	+ person.user.activate
	10	+ environment.add_admin(person)
	11	+
	12	+ blog = fast_create(Blog, :profile_id => person.id)
	13	+ post = fast_create(TextileArticle, :name => 'First post', :profile_id => person.id, :parent_id => blog.id, :body => 'Test')
	14	+ newsletter = NewsletterPlugin::Newsletter.create!(:environment => environment, :person => person, :enabled => true)
	15	+ newsletter.blog_ids = [blog.id]
	16	+ newsletter.save!
	17	+ task = NewsletterPlugin::ModerateNewsletter.create!(
	18	+ :newsletter_id => newsletter.id,
	19	+ :target => environment,
	20	+ :post_ids => [post.id.to_s]
	21	+ )
	22	+
	23	+ login 'john', 'test'
	24	+ get '/myprofile/john/tasks'
	25	+
	26	+ assert_tag :tag => 'input',
	27	+ :attributes => { :type => 'checkbox', :name => "tasks[#{task.id}][task][post_ids][]" },
	28	+ :sibling => { :tag => 'span' }
	29	+ end
	30	+
	31	+end
...	...
...	...	@@ -9,9 +9,9 @@
9	9	<% input_name = "tasks[#{task.id}][task][post_ids][]" %>
10	10	<% post_check_box = hidden_field_tag(input_name, '0') +check_box_tag(input_name, post.id, true) %>
11	11
12		- <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1')%>
13		- <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1') %>
	12	+ <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1'.html_safe) %>
	13	+ <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1'.html_safe) %>
14	14	<% end %>
15	15
16		- <%= newsletter_content %>
	16	+ <%= newsletter_content.html_safe %>
17	17	</div>
...	...