Commit 5f98fb25d41fc1e1b72798e9d2250a02ab4aba7e
1 parent
bf667380
Exists in
master
and in
22 other branches
Fix custom_forms' buttons escaping HTML properly
Showing
4 changed files
with
5 additions
and
5 deletions
Show diff stats
plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
| ... | ... | @@ -12,7 +12,7 @@ |
| 12 | 12 | <%= f.hidden_field(:position) %> |
| 13 | 13 | |
| 14 | 14 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> |
| 15 | - <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{j _('Are you sure you want to remove this field?').to_json})" %> | |
| 15 | + <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %> | |
| 16 | 16 | <%= yield %> |
| 17 | 17 | </div> |
| 18 | 18 | </fieldset> | ... | ... |
plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
| ... | ... | @@ -31,8 +31,8 @@ |
| 31 | 31 | </ul> |
| 32 | 32 | |
| 33 | 33 | <div class="addition-buttons"> |
| 34 | - <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{j html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%> | |
| 35 | - <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{j html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%> | |
| 34 | + <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%> | |
| 35 | + <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%> | |
| 36 | 36 | </div> |
| 37 | 37 | |
| 38 | 38 | <% button_bar do %> | ... | ... |
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
| ... | ... | @@ -7,6 +7,6 @@ |
| 7 | 7 | |
| 8 | 8 | <td> |
| 9 | 9 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> |
| 10 | - <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{j _('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %> | |
| 10 | + <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %> | |
| 11 | 11 | </td> |
| 12 | 12 | </tr> | ... | ... |
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
| ... | ... | @@ -22,7 +22,7 @@ |
| 22 | 22 | <tfoot> |
| 23 | 23 | <tr class="addition-buttons"> |
| 24 | 24 | <td colspan="3"> |
| 25 | - <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{j html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %> | |
| 25 | + <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %> | |
| 26 | 26 | </td> |
| 27 | 27 | </tr> |
| 28 | 28 | </tfoot> | ... | ... |