Commit c8eaed18d85ace70e370e069fec3202c9a151cff
1 parent
1bd0b110
Exists in
staging
and in
31 other branches
html_safe: avoiding escape some strings
this fixes some issues introduced by !859 closes #193
Showing
11 changed files
with
105 additions
and
20 deletions
Show diff stats
app/helpers/application_helper.rb
| ... | ... | @@ -1055,13 +1055,11 @@ module ApplicationHelper |
| 1055 | 1055 | end |
| 1056 | 1056 | |
| 1057 | 1057 | def delete_article_message(article) |
| 1058 | - CGI.escapeHTML( | |
| 1059 | - if article.folder? | |
| 1060 | - _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name | |
| 1061 | - else | |
| 1062 | - _("Are you sure that you want to remove the item \"%s\"?") % article.name | |
| 1063 | - end | |
| 1064 | - ) | |
| 1058 | + if article.folder? | |
| 1059 | + _("Are you sure that you want to remove the folder \"%s\"? Note that all the items inside it will also be removed!") % article.name | |
| 1060 | + else | |
| 1061 | + _("Are you sure that you want to remove the item \"%s\"?") % article.name | |
| 1062 | + end | |
| 1065 | 1063 | end |
| 1066 | 1064 | |
| 1067 | 1065 | def expirable_link_to(expired, content, url, options = {}) | ... | ... |
app/helpers/article_helper.rb
| ... | ... | @@ -69,14 +69,14 @@ module ArticleHelper |
| 69 | 69 | content_tag('div', |
| 70 | 70 | content_tag('div', |
| 71 | 71 | radio_button(:article, :published, true) + |
| 72 | - content_tag('span', ' ', :class => 'access-public-icon') + | |
| 72 | + content_tag('span', ' '.html_safe, :class => 'access-public-icon') + | |
| 73 | 73 | content_tag('label', _('Public'), :for => 'article_published_true') + |
| 74 | 74 | content_tag('span', _('Visible to other people'), :class => 'access-note'), |
| 75 | 75 | :class => 'access-item' |
| 76 | 76 | ) + |
| 77 | 77 | content_tag('div', |
| 78 | 78 | radio_button(:article, :published, false) + |
| 79 | - content_tag('span', ' ', :class => 'access-private-icon') + | |
| 79 | + content_tag('span', ' '.html_safe, :class => 'access-private-icon') + | |
| 80 | 80 | content_tag('label', _('Private'), :for => 'article_published_false', :id => "label_private") + |
| 81 | 81 | content_tag('span', _('Limit visibility of this article'), :class => 'access-note'), |
| 82 | 82 | :class => 'access-item' | ... | ... |
app/helpers/boxes_helper.rb
| ... | ... | @@ -34,7 +34,7 @@ module BoxesHelper |
| 34 | 34 | |
| 35 | 35 | def display_boxes_editor(holder) |
| 36 | 36 | with_box_decorator self do |
| 37 | - content_tag('div', display_boxes(holder, '<' + _('Main content') + '>'), :id => 'box-organizer') | |
| 37 | + content_tag('div', display_boxes(holder, '<' + _('Main content') + '>'), :id => 'box-organizer') | |
| 38 | 38 | end |
| 39 | 39 | end |
| 40 | 40 | |
| ... | ... | @@ -52,7 +52,7 @@ module BoxesHelper |
| 52 | 52 | |
| 53 | 53 | def maybe_display_custom_element(holder, element, options = {}) |
| 54 | 54 | if holder.respond_to?(element) |
| 55 | - content_tag('div', holder.send(element), options) | |
| 55 | + content_tag('div', holder.send(element).to_s.html_safe, options) | |
| 56 | 56 | else |
| 57 | 57 | ''.html_safe |
| 58 | 58 | end |
| ... | ... | @@ -64,7 +64,7 @@ module BoxesHelper |
| 64 | 64 | |
| 65 | 65 | def display_updated_box(box) |
| 66 | 66 | with_box_decorator self do |
| 67 | - display_box_content(box, '<' + _('Main content') + '>') | |
| 67 | + display_box_content(box, '<' + _('Main content') + '>') | |
| 68 | 68 | end |
| 69 | 69 | end |
| 70 | 70 | ... | ... |
app/helpers/categories_helper.rb
| ... | ... | @@ -20,7 +20,7 @@ module CategoriesHelper |
| 20 | 20 | def selected_category_link(cat) |
| 21 | 21 | js_remove = "jQuery('#selected-category-#{cat.id}').remove();" |
| 22 | 22 | content_tag('div', button_to_function_without_text(:remove, _('Remove'), js_remove) + |
| 23 | - link_to_function(cat.full_name(' → '), js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'), | |
| 23 | + link_to_function(cat.full_name(' → ').html_safe, js_remove, :id => "remove-selected-category-#{cat.id}-button", :class => 'select-subcategory-link'), | |
| 24 | 24 | :class => 'selected-category' |
| 25 | 25 | ) |
| 26 | 26 | end | ... | ... |
app/helpers/profile_helper.rb
| ... | ... | @@ -84,7 +84,7 @@ module ProfileHelper |
| 84 | 84 | entries.map do |entry| |
| 85 | 85 | content = self.send("treat_#{field}", entry) |
| 86 | 86 | unless content.blank? |
| 87 | - content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content)) | |
| 87 | + content_tag('tr', content_tag('td', title(field, entry), :class => 'field-name') + content_tag('td', content.to_s.html_safe)) | |
| 88 | 88 | end |
| 89 | 89 | end.join("\n") |
| 90 | 90 | end | ... | ... |
app/views/blocks/raw_html.html.erb
app/views/friends/_profile_list.html.erb
| 1 | 1 | <ul class="profile-list"> |
| 2 | 2 | <% profiles.each do |profile| %> |
| 3 | 3 | <li> |
| 4 | - <%= link_to_profile profile_image(profile) + '<br/>' + profile.short_name, | |
| 4 | + <%= link_to_profile profile_image(profile) + tag('br') + profile.short_name, | |
| 5 | 5 | profile.identifier, :class => 'profile-link' %> |
| 6 | 6 | <div class="controll"> |
| 7 | 7 | <%= button_without_text :remove, content_tag('span',_('remove')), | ... | ... |
app/views/shared/_select_categories.html.erb
| ... | ... | @@ -9,7 +9,7 @@ |
| 9 | 9 | categories = [@current_category] |
| 10 | 10 | categories.push(@current_category) while @current_category = @current_category.parent |
| 11 | 11 | %> |
| 12 | - <%= categories.compact.reverse.map{|i| update_categories_link(nil,i.name, i.id)}.join %> | |
| 12 | + <%= categories.compact.reverse.map{|i| update_categories_link(nil,i.name, i.id)}.join.html_safe %> | |
| 13 | 13 | |
| 14 | 14 | <script> |
| 15 | 15 | function add_category() { | ... | ... |
plugins/people_block/lib/people_block_helper.rb
| ... | ... | @@ -0,0 +1,87 @@ |
| 1 | +require_relative "../test_helper" | |
| 2 | + | |
| 3 | +class SafeStringsTest < ActionDispatch::IntegrationTest | |
| 4 | + | |
| 5 | + should 'not escape link to admins on profile page' do | |
| 6 | + person = fast_create Person | |
| 7 | + community = fast_create Community | |
| 8 | + community.add_admin(person) | |
| 9 | + get "/profile/#{community.identifier}" | |
| 10 | + assert_tag :tag => 'td', :content => 'Admins', :sibling => { | |
| 11 | + :tag => 'td', :child => { :tag => 'a', :content => person.name } | |
| 12 | + } | |
| 13 | + end | |
| 14 | + | |
| 15 | + should 'not escape people names on members block' do | |
| 16 | + person = fast_create Person | |
| 17 | + community = fast_create Community | |
| 18 | + community.add_member(person) | |
| 19 | + community.boxes << Box.new | |
| 20 | + community.boxes.first.blocks << MembersBlock.new | |
| 21 | + get "/profile/#{community.identifier}" | |
| 22 | + assert_tag :tag => 'div', :attributes => { :id => "block-#{community.blocks.first.id}" }, :descendant => { | |
| 23 | + :tag => 'li', :attributes => { :class => 'vcard' }, :content => person.name | |
| 24 | + } | |
| 25 | + end | |
| 26 | + | |
| 27 | + should 'not escape RawHTMLBlock content' do | |
| 28 | + community = fast_create Community | |
| 29 | + community.boxes << Box.new | |
| 30 | + community.boxes.first.blocks << RawHTMLBlock.new(:html => '<b>bold</b>') | |
| 31 | + get "/profile/#{community.identifier}" | |
| 32 | + assert_tag :tag => 'div', :attributes => { :id => "block-#{community.blocks.first.id}" }, :descendant => { | |
| 33 | + :tag => 'b', :content => 'bold' | |
| 34 | + } | |
| 35 | + end | |
| 36 | + | |
| 37 | + should 'not escape profile header or footer' do | |
| 38 | + community = fast_create Community | |
| 39 | + community.update_header_and_footer('<b>header</b>', '<b>footer</b>') | |
| 40 | + get "/profile/#{community.identifier}" | |
| 41 | + assert_tag :tag => 'div', :attributes => { :id => 'profile-header' }, :child => { :tag => 'b', :content => 'header' } | |
| 42 | + assert_tag :tag => 'div', :attributes => { :id => 'profile-footer' }, :child => { :tag => 'b', :content => 'footer' } | |
| 43 | + end | |
| 44 | + | |
| 45 | + should 'not escape → symbol from categories' do | |
| 46 | + create_user('marley', :password => 'test', :password_confirmation => 'test').activate | |
| 47 | + category = fast_create Category | |
| 48 | + subcategory = fast_create(Category, :parent_id => category.id) | |
| 49 | + Person['marley'].categories << subcategory | |
| 50 | + login 'marley', 'test' | |
| 51 | + get "/myprofile/marley/profile_editor/edit" | |
| 52 | + assert_tag :tag => 'a', :attributes => { :id => "remove-selected-category-#{subcategory.id}-button" }, | |
| 53 | + :content => "#{category.name} → #{subcategory.name}" | |
| 54 | + end | |
| 55 | + | |
| 56 | + should 'not escape MainBlock on profile design' do | |
| 57 | + create_user('jimi', :password => 'test', :password_confirmation => 'test').activate | |
| 58 | + jimi = Person['jimi'] | |
| 59 | + jimi.boxes << Box.new | |
| 60 | + jimi.boxes.first.blocks << MainBlock.new | |
| 61 | + login 'jimi', 'test' | |
| 62 | + get "/myprofile/jimi/profile_design" | |
| 63 | + assert_tag :tag => 'div', :attributes => { :class => 'main-content' }, :content => '<Main content>' | |
| 64 | + end | |
| 65 | + | |
| 66 | + should 'not escape confirmation message on deleting folders' do | |
| 67 | + create_user('jimi', :password => 'test', :password_confirmation => 'test').activate | |
| 68 | + fast_create(Folder, :name => 'Hey Joe', :profile_id => Person['jimi'].id, :updated_at => DateTime.now) | |
| 69 | + login 'jimi', 'test' | |
| 70 | + get "/myprofile/jimi/cms" | |
| 71 | + assert_tag :tag => 'a', :attributes => { | |
| 72 | + 'data-confirm' => /Are you sure that you want to remove the folder "Hey Joe"\?/ | |
| 73 | + } | |
| 74 | + end | |
| 75 | + | |
| 76 | + should 'not escape people names on manage friends' do | |
| 77 | + create_user('jimi', :password => 'test', :password_confirmation => 'test').activate | |
| 78 | + friend = fast_create Person | |
| 79 | + Person['jimi'].add_friend(friend) | |
| 80 | + login 'jimi', 'test' | |
| 81 | + get '/myprofile/jimi/friends' | |
| 82 | + assert_tag :tag => 'div', :attributes => { :id => 'manage_friends' }, :descendant => { | |
| 83 | + :tag => 'a', :attributes => { :class => 'profile-link' }, :content => friend.name | |
| 84 | + } | |
| 85 | + end | |
| 86 | + | |
| 87 | +end | ... | ... |
test/unit/cms_helper_test.rb
| ... | ... | @@ -62,7 +62,7 @@ class CmsHelperTest < ActionView::TestCase |
| 62 | 62 | profile = fast_create(Profile) |
| 63 | 63 | name = 'My folder' |
| 64 | 64 | folder = fast_create(Folder, :name => name, :profile_id => profile.id) |
| 65 | - confirm_message = CGI.escapeHTML("Are you sure that you want to remove the folder \"#{name}\"? Note that all the items inside it will also be removed!") | |
| 65 | + confirm_message = "Are you sure that you want to remove the folder \"#{name}\"? Note that all the items inside it will also be removed!" | |
| 66 | 66 | expects(:link_to).with('Delete', {action: 'destroy', id: folder.id}, method: :post, 'data-confirm' => confirm_message, class: 'button with-text icon-delete', title: nil) |
| 67 | 67 | |
| 68 | 68 | result = display_delete_button(folder) |
| ... | ... | @@ -73,7 +73,7 @@ class CmsHelperTest < ActionView::TestCase |
| 73 | 73 | profile = fast_create(Profile) |
| 74 | 74 | name = 'My article' |
| 75 | 75 | article = fast_create(TinyMceArticle, :name => name, :profile_id => profile.id) |
| 76 | - confirm_message = CGI.escapeHTML("Are you sure that you want to remove the item \"#{name}\"?") | |
| 76 | + confirm_message = "Are you sure that you want to remove the item \"#{name}\"?" | |
| 77 | 77 | expects(:link_to).with('Delete', {action: 'destroy', id: article.id}, method: :post, 'data-confirm' => confirm_message, class: 'button with-text icon-delete', title: nil) |
| 78 | 78 | |
| 79 | 79 | result = display_delete_button(article) | ... | ... |