Commit 06e7258cfeafbd89df6c57798fb0d3f9ba37e416
Exists in
ratings_minor_fixes
and in
4 other branches
Merge branch 'html-safe-blocks' into 'master'
html_safe: fix edition of some blocks See merge request !900
Showing
3 changed files
with
30 additions
and
2 deletions
Show diff stats
app/helpers/block_helper.rb
| @@ -28,7 +28,7 @@ module BlockHelper | @@ -28,7 +28,7 @@ module BlockHelper | ||
| 28 | }</label></td> | 28 | }</label></td> |
| 29 | <td>#{button_without_text(:delete, _('Remove'), '#', class: 'delete-highlight', data: {confirm: _('Are you sure you want to remove this highlight')})}</td> | 29 | <td>#{button_without_text(:delete, _('Remove'), '#', class: 'delete-highlight', data: {confirm: _('Are you sure you want to remove this highlight')})}</td> |
| 30 | </tr> | 30 | </tr> |
| 31 | - " | 31 | + ".html_safe |
| 32 | end | 32 | end |
| 33 | 33 | ||
| 34 | end | 34 | end |
app/views/box_organizer/edit.html.erb
| 1 | <div class="block-config-options <%= @block.class.name %>-options"> | 1 | <div class="block-config-options <%= @block.class.name %>-options"> |
| 2 | - <h2 class="title"><%= _(@block.class.description) %></h2> | 2 | + <h2 class="title"><%= _(@block.class.description).html_safe %></h2> |
| 3 | 3 | ||
| 4 | <%= form_tag(:action => 'save', :id => @block.id) do %> | 4 | <%= form_tag(:action => 'save', :id => @block.id) do %> |
| 5 | 5 |
test/integration/safe_strings_test.rb
| @@ -2,6 +2,14 @@ require_relative "../test_helper" | @@ -2,6 +2,14 @@ require_relative "../test_helper" | ||
| 2 | 2 | ||
| 3 | class SafeStringsTest < ActionDispatch::IntegrationTest | 3 | class SafeStringsTest < ActionDispatch::IntegrationTest |
| 4 | 4 | ||
| 5 | + def setup | ||
| 6 | + @user = create_user('safestring', :password => 'test', :password_confirmation => 'test') | ||
| 7 | + @user.activate | ||
| 8 | + @person = user.person | ||
| 9 | + end | ||
| 10 | + | ||
| 11 | + attr_accessor :user, :person | ||
| 12 | + | ||
| 5 | should 'not escape link to admins on profile page' do | 13 | should 'not escape link to admins on profile page' do |
| 6 | person = fast_create Person | 14 | person = fast_create Person |
| 7 | community = fast_create Community | 15 | community = fast_create Community |
| @@ -135,4 +143,24 @@ class SafeStringsTest < ActionDispatch::IntegrationTest | @@ -135,4 +143,24 @@ class SafeStringsTest < ActionDispatch::IntegrationTest | ||
| 135 | } | 143 | } |
| 136 | end | 144 | end |
| 137 | 145 | ||
| 146 | + should 'not escape block title when edit a block' do | ||
| 147 | + class OtherBlock < Block | ||
| 148 | + def self.description | ||
| 149 | + _("<p class='other-block'>Other Block</p>") | ||
| 150 | + end | ||
| 151 | + end | ||
| 152 | + login user.login, 'test' | ||
| 153 | + block = OtherBlock.new | ||
| 154 | + person.boxes.first.blocks << block | ||
| 155 | + get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id) | ||
| 156 | + assert_select '.block-config-options .other-block' | ||
| 157 | + end | ||
| 158 | + | ||
| 159 | + should 'not escape edit settings in highlight block' do | ||
| 160 | + login user.login, 'test' | ||
| 161 | + block = HighlightsBlock.new | ||
| 162 | + person.boxes.first.blocks << block | ||
| 163 | + get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id) | ||
| 164 | + assert_select '.block-config-options .image-data-line' | ||
| 165 | + end | ||
| 138 | end | 166 | end |