CustomFormsPlugin: should not escape javascripts elements

Leandro Santos
1 parent fbdee132
Showing 7 changed files with 8 additions and 8 deletions Show diff stats
plugins/custom_forms/lib/custom_forms_plugin/helper.rb
plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
plugins/custom_forms/views/shared/_form_submission.html.erb
@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper
   def display_custom_field(field, submission, form)
     sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
     answer = submission.answers.select{|answer| answer.field == field}.first
-    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
+    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form).html_safe
     if field.mandatory? && submission.id.nil?
       required(labelled_form_field(sanitized_name, field_tag))
     else
@@ -12,7 +12,7 @@
   <%= f.hidden_field(:position) %>
  
   <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %>
+  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{_('Are you sure you want to remove this field?').to_json})" %>
   <%= yield %>
 </div>
 </fieldset>
@@ -51,8 +51,8 @@
 </ul>
  
 <div class="addition-buttons">
-  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%>
-  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%>
+  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%>
+  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%>
 </div>
  
 <%= button_bar do %>
@@ -7,6 +7,6 @@
  
   <td>
     <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %>
+    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{_('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %>
   </td>
 </tr>
@@ -22,7 +22,7 @@
     <tfoot>
     <tr class="addition-buttons">
       <td colspan="3">
-      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %>
+      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %>
       </td>
     </tr>
     </tfoot>
 <div id="custom-forms-plugin_submission">
  
 <h1><%= @form.name %></h1>
-<p><%= @form.description %></p>
+<p><%= @form.description.html_safe %></p>
  
 <% if @submission.id.nil? %>
   <% if @form.expired? %>
 <% self.extend(CustomFormsPlugin::Helper) %>
  
 <% @form.fields.each do |field| %>
-  <%= display_custom_field(field, @submission, f.object_name) %>
+  <%= display_custom_field(field, @submission, f.object_name).html_safe %>
 <% end %>
...	...	@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper
71	71	def display_custom_field(field, submission, form)
72	72	sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
73	73	answer = submission.answers.select{\|answer\| answer.field == field}.first
74		- field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
	74	+ field_tag = send("display_#{type_for_options(field.class)}",field, answer, form).html_safe
75	75	if field.mandatory? && submission.id.nil?
76	76	required(labelled_form_field(sanitized_name, field_tag))
77	77	else
...	...
...	...	@@ -12,7 +12,7 @@
12	12	<%= f.hidden_field(:position) %>
13	13
14	14	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>
15		- <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %>
	15	+ <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{_('Are you sure you want to remove this field?').to_json})" %>
16	16	<%= yield %>
17	17	</div>
18	18	</fieldset>
...	...
...	...	@@ -51,8 +51,8 @@
51	51	</ul>
52	52
53	53	<div class="addition-buttons">
54		- <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%>
55		- <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%>
	54	+ <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%>
	55	+ <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%>
56	56	</div>
57	57
58	58	<%= button_bar do %>
...	...
...	...	@@ -7,6 +7,6 @@
7	7
8	8	<td>
9	9	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>
10		- <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %>
	10	+ <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{_('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %>
11	11	</td>
12	12	</tr>
...	...
...	...	@@ -22,7 +22,7 @@
22	22	<tfoot>
23	23	<tr class="addition-buttons">
24	24	<td colspan="3">
25		- <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %>
	25	+ <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %>
26	26	</td>
27	27	</tr>
28	28	</tfoot>
...	...
1	1	<div id="custom-forms-plugin_submission">
2	2
3	3	<h1><%= @form.name %></h1>
4		-<p><%= @form.description %></p>
	4	+<p><%= @form.description.html_safe %></p>
5	5
6	6	<% if @submission.id.nil? %>
7	7	<% if @form.expired? %>
...	...
1	1	<% self.extend(CustomFormsPlugin::Helper) %>
2	2
3	3	<% @form.fields.each do \|field\| %>
4		- <%= display_custom_field(field, @submission, f.object_name) %>
	4	+ <%= display_custom_field(field, @submission, f.object_name).html_safe %>
5	5	<% end %>
...	...