Commit 963fc12347c3b5dbb1fc40bfd1cb0d0b6ffdb06e
1 parent
9cc7056d
Exists in
staging
and in
31 other branches
html_safe: avoid escape task information string
Showing
2 changed files
with
9 additions
and
1 deletions
Show diff stats
app/views/profile_editor/_pending_tasks.html.erb
... | ... | @@ -4,7 +4,7 @@ |
4 | 4 | <div class='pending-tasks'> |
5 | 5 | <h2><%= _('You have pending requests') %></h2> |
6 | 6 | <ul> |
7 | - <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task))}) %> | |
7 | + <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task).html_safe)}) %> | |
8 | 8 | </ul> |
9 | 9 | <%= button(:todo, _('Process requests'), :controller => 'tasks', :action => 'index') %> |
10 | 10 | </div> | ... | ... |
test/integration/safe_strings_test.rb
... | ... | @@ -84,4 +84,12 @@ class SafeStringsTest < ActionDispatch::IntegrationTest |
84 | 84 | } |
85 | 85 | end |
86 | 86 | |
87 | + should 'not escape task information on manage profile' do | |
88 | + create_user('marley', :password => 'test', :password_confirmation => 'test').activate | |
89 | + person = Person['marley'] | |
90 | + task = create(Task, :requestor => person, :target => person) | |
91 | + login 'marley', 'test' | |
92 | + get "/myprofile/marley" | |
93 | + assert_select ".pending-tasks ul li a" | |
94 | + end | |
87 | 95 | end | ... | ... |