Better custom forms submissions display

Also does some security enhancement for custom forms by sanitizing content.

Better custom forms submissions display
Also does some security enhancement for custom forms by sanitizing content.
Aurélio A. Heckert · Larissa Reis
1 parent 5f1ce128
Showing 6 changed files with 95 additions and 7 deletions Show diff stats
plugins/custom_forms/lib/custom_forms_plugin/answer.rb
plugins/custom_forms/lib/custom_forms_plugin/helper.rb
plugins/custom_forms/lib/custom_forms_plugin/submission.rb
plugins/custom_forms/public/style.css
plugins/custom_forms/views/custom_forms_plugin_myprofile/show_submission.html.erb
plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
@@ -14,10 +14,14 @@ class CustomFormsPlugin::Answer &lt; ActiveRecord::Base
     end
   end
  
-  def to_s
-    return value if value.blank? || field.alternatives.blank?
+  def to_text_list
+    return [value] if value.blank? || field.alternatives.blank?
     selected = value.split(',')
-    field.alternatives.select {|alt| selected.include? alt.id.to_s }.map(&:label).join(';')
+    field.alternatives.select {|alt| selected.include? alt.id.to_s }.map(&:label)
+  end
+
+  def to_s
+    to_text_list.join(';')
   end
 end
  
@@ -69,12 +69,13 @@ module CustomFormsPlugin::Helper
   end
  
   def display_custom_field(field, submission, form)
+    sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
     answer = submission.answers.select{|answer| answer.field == field}.first
     field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
     if field.mandatory? && submission.id.nil?
-      required(labelled_form_field(field.name, field_tag))
+      required(labelled_form_field(sanitized_name, field_tag))
     else
-      labelled_form_field(field.name, field_tag)
+      labelled_form_field(sanitized_name, field_tag)
     end
   end
  
@@ -49,6 +49,14 @@ class CustomFormsPlugin::Submission &lt; Noosfero::Plugin::ActiveRecord
     self.answers
   end
  
+  def q_and_a
+    qa = {}
+    form.fields.each do |f|
+      self.answers.select{|a| a.field == f}.map{|answer| qa[f] = answer }
+    end
+    qa
+  end
+
   protected
  
   def check_answers
@@ -89,3 +89,32 @@ tr.addition-buttons {
   border: 1px solid #BBB;
   border-radius: 4px;
 }
+
+#custom-forms-plugin_submission .notify {
+  padding: 8px;
+  color: rgba(0,0,0,0.5);
+}
+
+#custom-forms-plugin_submission-view th {
+  border: none;
+  text-align: right;
+}
+#custom-forms-plugin_submission-view td {
+  padding: 5px 0;
+}
+
+#custom-forms-plugin_submission-view td img {
+  vertical-align: middle;
+}
+
+#custom-forms-plugin_submission-view td ul {
+  padding: 0;
+  margin: 0;
+}
+#custom-forms-plugin_submission-view td li {
+  list-style: none;
+  background: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><rect x="3.5" y="3.5" width="10" height="10" fill="black" stroke="black" fill-opacity="0.2" opacity="0.4" ry="1"/><path d="M 4,5 8.5,13 16,0 8.5,8.5 z"/></svg>') no-repeat 0 50%;
+  padding: 0 0 0 20px;
+  margin: 0;
+}
+
+<div id="custom-forms-plugin_submission-view">
+
 <h1><%= @form.name %></h1>
 <p><%= @form.description %></p>
  
-<%= fields_for :submission, @submission do |f| %>
-  <%= render :partial => 'shared/form_submission', :locals => {:f => f} %>
+<% sanitizer = ActionView::Base.white_list_sanitizer %>
+
+<table>
+  <tr>
+    <th><%= _('Submission date') %></th>
+    <td><%= @submission.updated_at.strftime('%Y/%m/%d %T %Z') %><td>
+  </tr>
+  <tr>
+    <th><%= _('Author') %></th>
+    <% if author = @submission.profile %>
+      <td>
+        <%= link_to(image_tag(profile_icon(author, :portrait)), author.url) %>
+        <%= link_to(author.name, author.url) %>
+      </td>
+    <% else %>
+      <td>
+        <%=
+          img = image_tag gravatar_profile_image_url @submission.author_email, :size=>64, :d => gravatar_default
+          sanitizer.sanitize link_to(img +' '+ @submission.author_name, "mailto:#{@submission.author_email}")
+        %>
+        <span>(<%= _('Unauthenticated') %>)<span>
+      </td>
+    <% end %>
+  </tr>
+<% @submission.q_and_a.each do |field, answer| %>
+  <tr>
+    <th><%= sanitizer.sanitize field.name %></th>
+    <td><%=
+      answer = if answer.field.alternatives.blank?
+        answer.to_s.gsub("\n", '<br>')
+      else
+        content_tag :ul do
+          answer.to_text_list.map {|a| content_tag :li, a }.join("\n")
+        end
+      end
+      sanitizer.sanitize answer
+    %></td>
+  </tr>
 <% end %>
+</table>
  
 <% button_bar do %>
   <%= button :back, _('Back to submissions'), :action => 'submissions', :id => @form.id %>
 <% end %>
+
+</div><!-- end id="custom-forms-plugin_submission-view" -->
+<div id="custom-forms-plugin_submission">
+
 <h1><%= @form.name %></h1>
 <p><%= @form.description %></p>
  
@@ -26,6 +28,7 @@
       <% else %>
         <%= submit_button :save, c_('Save'), :cancel => {:controller => :profile, :profile => profile.identifier} %>
       <% end %>
+      <div class="notify"><%= _("Your e-mail will be visible to this form's owners.") %></div>
     <% end %>
  
   <% end %>
@@ -34,3 +37,5 @@
     <%= render :partial => 'shared/form_submission', :locals => {:f => f} %>
   <% end %>
 <% end %>
+
+</div><!-- end id="custom-forms-plugin_submission" -->
...	...	@@ -14,10 +14,14 @@ class CustomFormsPlugin::Answer < ActiveRecord::Base
14	14	end
15	15	end
16	16
17		- def to_s
18		- return value if value.blank? \|\| field.alternatives.blank?
	17	+ def to_text_list
	18	+ return [value] if value.blank? \|\| field.alternatives.blank?
19	19	selected = value.split(',')
20		- field.alternatives.select {\|alt\| selected.include? alt.id.to_s }.map(&:label).join(';')
	20	+ field.alternatives.select {\|alt\| selected.include? alt.id.to_s }.map(&:label)
	21	+ end
	22	+
	23	+ def to_s
	24	+ to_text_list.join(';')
21	25	end
22	26	end
23	27
...	...
...	...	@@ -69,12 +69,13 @@ module CustomFormsPlugin::Helper
69	69	end
70	70
71	71	def display_custom_field(field, submission, form)
	72	+ sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
72	73	answer = submission.answers.select{\|answer\| answer.field == field}.first
73	74	field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
74	75	if field.mandatory? && submission.id.nil?
75		- required(labelled_form_field(field.name, field_tag))
	76	+ required(labelled_form_field(sanitized_name, field_tag))
76	77	else
77		- labelled_form_field(field.name, field_tag)
	78	+ labelled_form_field(sanitized_name, field_tag)
78	79	end
79	80	end
80	81
...	...
...	...	@@ -49,6 +49,14 @@ class CustomFormsPlugin::Submission < Noosfero::Plugin::ActiveRecord
49	49	self.answers
50	50	end
51	51
	52	+ def q_and_a
	53	+ qa = {}
	54	+ form.fields.each do \|f\|
	55	+ self.answers.select{\|a\| a.field == f}.map{\|answer\| qa[f] = answer }
	56	+ end
	57	+ qa
	58	+ end
	59	+
52	60	protected
53	61
54	62	def check_answers
...	...
...	...	@@ -89,3 +89,32 @@ tr.addition-buttons {
89	89	border: 1px solid #BBB;
90	90	border-radius: 4px;
91	91	}
	92	+
	93	+#custom-forms-plugin_submission .notify {
	94	+ padding: 8px;
	95	+ color: rgba(0,0,0,0.5);
	96	+}
	97	+
	98	+#custom-forms-plugin_submission-view th {
	99	+ border: none;
	100	+ text-align: right;
	101	+}
	102	+#custom-forms-plugin_submission-view td {
	103	+ padding: 5px 0;
	104	+}
	105	+
	106	+#custom-forms-plugin_submission-view td img {
	107	+ vertical-align: middle;
	108	+}
	109	+
	110	+#custom-forms-plugin_submission-view td ul {
	111	+ padding: 0;
	112	+ margin: 0;
	113	+}
	114	+#custom-forms-plugin_submission-view td li {
	115	+ list-style: none;
	116	+ background: url('data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><rect x="3.5" y="3.5" width="10" height="10" fill="black" stroke="black" fill-opacity="0.2" opacity="0.4" ry="1"/><path d="M 4,5 8.5,13 16,0 8.5,8.5 z"/></svg>') no-repeat 0 50%;
	117	+ padding: 0 0 0 20px;
	118	+ margin: 0;
	119	+}
	120	+
...	...
	1	+<div id="custom-forms-plugin_submission-view">
	2	+
1	3	<h1><%= @form.name %></h1>
2	4	<p><%= @form.description %></p>
3	5
4		-<%= fields_for :submission, @submission do \|f\| %>
5		- <%= render :partial => 'shared/form_submission', :locals => {:f => f} %>
	6	+<% sanitizer = ActionView::Base.white_list_sanitizer %>
	7	+
	8	+<table>
	9	+ <tr>
	10	+ <th><%= _('Submission date') %></th>
	11	+ <td><%= @submission.updated_at.strftime('%Y/%m/%d %T %Z') %><td>
	12	+ </tr>
	13	+ <tr>
	14	+ <th><%= _('Author') %></th>
	15	+ <% if author = @submission.profile %>
	16	+ <td>
	17	+ <%= link_to(image_tag(profile_icon(author, :portrait)), author.url) %>
	18	+ <%= link_to(author.name, author.url) %>
	19	+ </td>
	20	+ <% else %>
	21	+ <td>
	22	+ <%=
	23	+ img = image_tag gravatar_profile_image_url @submission.author_email, :size=>64, :d => gravatar_default
	24	+ sanitizer.sanitize link_to(img +' '+ @submission.author_name, "mailto:#{@submission.author_email}")
	25	+ %>
	26	+ <span>(<%= _('Unauthenticated') %>)<span>
	27	+ </td>
	28	+ <% end %>
	29	+ </tr>
	30	+<% @submission.q_and_a.each do \|field, answer\| %>
	31	+ <tr>
	32	+ <th><%= sanitizer.sanitize field.name %></th>
	33	+ <td><%=
	34	+ answer = if answer.field.alternatives.blank?
	35	+ answer.to_s.gsub("\n", '<br>')
	36	+ else
	37	+ content_tag :ul do
	38	+ answer.to_text_list.map {\|a\| content_tag :li, a }.join("\n")
	39	+ end
	40	+ end
	41	+ sanitizer.sanitize answer
	42	+ %></td>
	43	+ </tr>
6	44	<% end %>
	45	+</table>
7	46
8	47	<% button_bar do %>
9	48	<%= button :back, _('Back to submissions'), :action => 'submissions', :id => @form.id %>
10	49	<% end %>
	50	+
	51	+</div><!-- end id="custom-forms-plugin_submission-view" -->
...	...