Download as
Browse Code »

Commit 086f3729999169897df37778fa2e747f390e7800

Authored by Rodrigo Souto
1 parent 1bec32a8
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Fixing escapes due to debian security release 2.3.5-1.2+squeeze8 

(ActionItem2630)
Showing 12 changed files with 54 additions and 56 deletions   Show diff stats
app/helpers/application_helper.rb
  Diff comments   View file @086f372
@@ -493,23 +493,24 @@ module ApplicationHelper @@ -493,23 +493,24 @@ module ApplicationHelper
493 493
494 def profile_cat_icons( profile ) 494 def profile_cat_icons( profile )
495 if profile.class == Enterprise 495 if profile.class == Enterprise
496 - icons =  
497 - profile.product_categories.map{ |c| c.size > 1 ? c[1] : nil }.  
498 - compact.uniq.map{ |c|  
499 - cat_name = c.gsub( /[-_\s,.;'"]+/, '_' )  
500 - cat_icon = "/images/icons-cat/#{cat_name}.png"  
501 - if ! File.exists? RAILS_ROOT.to_s() + '/public/' + cat_icon  
502 - cat_icon = '/images/icons-cat/undefined.png'  
503 - end  
504 - content_tag 'span',  
505 - content_tag( 'span', c ),  
506 - :title => c,  
507 - :class => 'product-cat-icon cat_icon_' + cat_name,  
508 - :style => "background-image:url(#{cat_icon})"  
509 - }.join "\n"  
510 - content_tag 'div',  
511 - content_tag( 'span', _('Principal Product Categories'), :class => 'header' ) +"\n"+ icons,  
512 - :class => 'product-category-icons' 496 + icons = profile.product_categories.map{ |c| c.size > 1 ? c[1] : nil }.
  497 + compact.uniq.map do |c|
  498 + cat_name = c.gsub( /[-_\s,.;'"]+/, '_' )
  499 + cat_icon = "/images/icons-cat/#{cat_name}.png"
  500 + if ! File.exists? RAILS_ROOT.to_s() + '/public/' + cat_icon
  501 + cat_icon = '/images/icons-cat/undefined.png'
  502 + end
  503 + content_tag('span',
  504 + content_tag( 'span', c ),
  505 + :title => c,
  506 + :class => 'product-cat-icon cat_icon_' + cat_name,
  507 + :style => "background-image:url(#{cat_icon})"
  508 + )
  509 + end.join("\n").html_safe
  510 + content_tag('div',
  511 + content_tag( 'span', _('Principal Product Categories'), :class => 'header' ) +"\n"+ icons,
  512 + :class => 'product-category-icons'
  513 + )
513 else 514 else
514 '' 515 ''
515 end 516 end
@@ -633,10 +634,10 @@ module ApplicationHelper @@ -633,10 +634,10 @@ module ApplicationHelper
633 # FIXME 634 # FIXME
634 ([toplevel] + toplevel.children_for_menu).each do |cat| 635 ([toplevel] + toplevel.children_for_menu).each do |cat|
635 if cat.top_level? 636 if cat.top_level?
636 - result << '<div class="categorie_box">' 637 + result << '<div class="categorie_box">'.html_safe
637 result << icon_button( :down, _('open'), '#', :onclick => 'open_close_cat(this); return false' ) 638 result << icon_button( :down, _('open'), '#', :onclick => 'open_close_cat(this); return false' )
638 result << content_tag('h5', toplevel.name) 639 result << content_tag('h5', toplevel.name)
639 - result << '<div style="display:none"><ul class="categories">' 640 + result << '<div style="display:none"><ul class="categories">'.html_safe
640 else 641 else
641 checkbox_id = "#{object_name}_#{cat.full_name.downcase.gsub(/\s+|\//, '_')}" 642 checkbox_id = "#{object_name}_#{cat.full_name.downcase.gsub(/\s+|\//, '_')}"
642 result << content_tag('li', labelled_check_box( 643 result << content_tag('li', labelled_check_box(
@@ -647,7 +648,7 @@ module ApplicationHelper @@ -647,7 +648,7 @@ module ApplicationHelper
647 :class => ( object.category_ids.include?(cat.id) ? 'cat_checked' : '' ) ) + "\n" 648 :class => ( object.category_ids.include?(cat.id) ? 'cat_checked' : '' ) ) + "\n"
648 end 649 end
649 end 650 end
650 - result << '</ul></div></div>' 651 + result << '</ul></div></div>'.html_safe
651 end 652 end
652 653
653 content_tag('div', result) 654 content_tag('div', result)
@@ -787,10 +788,10 @@ module ApplicationHelper @@ -787,10 +788,10 @@ module ApplicationHelper
787 :class => 'lineitem' + (line_item+=1).to_s() ) +"\n" 788 :class => 'lineitem' + (line_item+=1).to_s() ) +"\n"
788 if line_item == line_size 789 if line_item == line_size
789 line_item = 0 790 line_item = 0
790 - html += "<br />\n" 791 + html += "<br />\n".html_safe
791 end 792 end
792 } 793 }
793 - html += "<br />\n" if line_size == 0 || ( values.size % line_size ) > 0 794 + html += "<br />\n".html_safe if line_size == 0 || ( values.size % line_size ) > 0
794 column = object.class.columns_hash[method.to_s] 795 column = object.class.columns_hash[method.to_s]
795 text = 796 text =
796 ( column ? 797 ( column ?
@@ -977,7 +978,7 @@ module ApplicationHelper @@ -977,7 +978,7 @@ module ApplicationHelper
977 end 978 end
978 979
979 def link_to_email(email) 980 def link_to_email(email)
980 - javascript_tag('var array = ' + email.split('@').to_json + '; document.write("<a href=\'mailto:" + array.join("@") + "\'>" + array.join("@") + "</a>")') 981 + javascript_tag('var array = ' + email.split('@').to_json + '; document.write("<a href=\'mailto:" + array.join("@") + "\'>" + array.join("@") + "</a>")'.html_safe)
981 end 982 end
982 983
983 def stylesheet(*args) 984 def stylesheet(*args)
@@ -987,7 +988,7 @@ module ApplicationHelper @@ -987,7 +988,7 @@ module ApplicationHelper
987 def article_to_html(article, options = {}) 988 def article_to_html(article, options = {})
988 options.merge!(:page => params[:npage]) 989 options.merge!(:page => params[:npage])
989 content = article.to_html(options) 990 content = article.to_html(options)
990 - content = content.kind_of?(Proc) ? self.instance_eval(&content) : content 991 + content = content.kind_of?(Proc) ? self.instance_eval(&content).html_safe : content.html_safe
991 @plugins && @plugins.each do |plugin| 992 @plugins && @plugins.each do |plugin|
992 content = plugin.parse_content(content) 993 content = plugin.parse_content(content)
993 end 994 end
@@ -1003,7 +1004,7 @@ module ApplicationHelper @@ -1003,7 +1004,7 @@ module ApplicationHelper
1003 end 1004 end
1004 1005
1005 def ui_icon(icon_class, extra_class = '') 1006 def ui_icon(icon_class, extra_class = '')
1006 - "<span class='ui-icon #{icon_class} #{extra_class}' style='float:left; margin-right:7px;'></span>" 1007 + "<span class='ui-icon #{icon_class} #{extra_class}' style='float:left; margin-right:7px;'></span>".html_safe
1007 end 1008 end
1008 1009
1009 def ui_button(label, url, html_options = {}) 1010 def ui_button(label, url, html_options = {})
@@ -1035,13 +1036,13 @@ module ApplicationHelper @@ -1035,13 +1036,13 @@ module ApplicationHelper
1035 end 1036 end
1036 1037
1037 def collapsed_item_icon 1038 def collapsed_item_icon
1038 - "<span class='ui-icon ui-icon-circlesmall-plus' style='float:left;'></span>" 1039 + "<span class='ui-icon ui-icon-circlesmall-plus' style='float:left;'></span>".html_safe
1039 end 1040 end
1040 def expanded_item_icon 1041 def expanded_item_icon
1041 - "<span class='ui-icon ui-icon-circlesmall-minus' style='float:left;'></span>" 1042 + "<span class='ui-icon ui-icon-circlesmall-minus' style='float:left;'></span>".html_safe
1042 end 1043 end
1043 def leaf_item_icon 1044 def leaf_item_icon
1044 - "<span class='ui-icon ui-icon-arrow-1-e' style='float:left;'></span>" 1045 + "<span class='ui-icon ui-icon-arrow-1-e' style='float:left;'></span>".html_safe
1045 end 1046 end
1046 1047
1047 def display_category_menu(block, categories, root = true) 1048 def display_category_menu(block, categories, root = true)
@@ -1300,9 +1301,7 @@ module ApplicationHelper @@ -1300,9 +1301,7 @@ module ApplicationHelper
1300 titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') } 1301 titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
1301 contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) } 1302 contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
1302 1303
1303 - content_tag :div, :class => 'ui-tabs' do  
1304 - content_tag(:ul, titles) + contents  
1305 - end 1304 + content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
1306 end 1305 end
1307 1306
1308 def jquery_token_input_messages_json(hintText = _('Type in an keyword'), noResultsText = _('No results'), searchingText = _('Searching...')) 1307 def jquery_token_input_messages_json(hintText = _('Type in an keyword'), noResultsText = _('No results'), searchingText = _('Searching...'))
app/helpers/profile_editor_helper.rb
  Diff comments   View file @086f372
@@ -136,7 +136,7 @@ module ProfileEditorHelper @@ -136,7 +136,7 @@ module ProfileEditorHelper
136 concat( 136 concat(
137 content_tag( 137 content_tag(
138 'div', 138 'div',
139 - capture(&block) + '<br style="clear:left;"/>&nbsp;', 139 + capture(&block) + content_tag('br', '', :style => 'clear: left'),
140 :class => 'control-panel') 140 :class => 'control-panel')
141 ) 141 )
142 end 142 end
app/helpers/tags_helper.rb
  Diff comments   View file @086f372
@@ -68,7 +68,7 @@ module TagsHelper @@ -68,7 +68,7 @@ module TagsHelper
68 :title => n_( 'one item', '%d items', count ) % count 68 :title => n_( 'one item', '%d items', count ) % count
69 end 69 end
70 70
71 - end.join("\n") 71 + end.join("\n").html_safe
72 end 72 end
73 73
74 end 74 end
app/models/article_block.rb
  Diff comments   View file @086f372
@@ -12,7 +12,7 @@ class ArticleBlock &lt; Block @@ -12,7 +12,7 @@ class ArticleBlock &lt; Block
12 block = self 12 block = self
13 lambda do 13 lambda do
14 block_title(block.title) + 14 block_title(block.title) +
15 - (block.article ? article_to_html(block.article, :gallery_view => false) : _('Article not selected yet.')) 15 + (block.article ? article_to_html(block.article, :gallery_view => false).html_safe : _('Article not selected yet.'))
16 end 16 end
17 end 17 end
18 18
app/models/feed_reader_block.rb
  Diff comments   View file @086f372
@@ -47,11 +47,11 @@ class FeedReaderBlock &lt; Block @@ -47,11 +47,11 @@ class FeedReaderBlock &lt; Block
47 47
48 def formatted_feed_content 48 def formatted_feed_content
49 if error_message.blank? 49 if error_message.blank?
50 - "<ul>\n" +  
51 - self.feed_items[0..(limit-1)].map{ |item| "<li><a href='#{item[:link]}'>#{item[:title]}</a></li>" }.join("\n") +  
52 - "</ul>" 50 + "<ul>\n".html_safe +
  51 + self.feed_items[0..(limit-1)].map{ |item| "<li><a href='#{item[:link]}'>#{item[:title]}</a></li>" }.join("\n").html_safe +
  52 + "</ul>".html_safe
53 else 53 else
54 - '<p>' + error_message + '</p>' 54 + "<p>#{error_message}</p>".html_safe
55 end 55 end
56 end 56 end
57 57
app/models/link_list_block.rb
  Diff comments   View file @086f372
@@ -80,7 +80,7 @@ class LinkListBlock &lt; Block @@ -80,7 +80,7 @@ class LinkListBlock &lt; Block
80 80
81 def icons_options 81 def icons_options
82 ICONS.map do |i| 82 ICONS.map do |i|
83 - "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>" 83 + "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
84 end 84 end
85 end 85 end
86 86
app/models/profile_list_block.rb
  Diff comments   View file @086f372
@@ -49,13 +49,12 @@ class ProfileListBlock &lt; Block @@ -49,13 +49,12 @@ class ProfileListBlock &lt; Block
49 send(:profile_image_link, item, :minor ) 49 send(:profile_image_link, item, :minor )
50 }.join("\n ") 50 }.join("\n ")
51 if list.empty? 51 if list.empty?
52 - list = '<div class="common-profile-list-block-none">'+ _('None') +'</div>' 52 + list = content_tag 'div', _('None'), :class => 'common-profile-list-block-none'
53 else 53 else
54 list = content_tag 'ul', nl +' '+ list + nl 54 list = content_tag 'ul', nl +' '+ list + nl
55 end 55 end
56 block_title(title) + nl + 56 block_title(title) + nl +
57 - '<div class="common-profile-list-block">' +  
58 - nl + list + nl + '<br style="clear:both" /></div>' 57 + content_tag('div', nl + list + nl + content_tag('br', '', :style => 'clear:both'))
59 end 58 end
60 end 59 end
61 60
app/models/tags_block.rb
  Diff comments   View file @086f372
@@ -30,11 +30,11 @@ class TagsBlock &lt; Block @@ -30,11 +30,11 @@ class TagsBlock &lt; Block
30 end 30 end
31 31
32 block_title(title) + 32 block_title(title) +
33 - "\n<div class='tag_cloud'>\n"+ 33 + "\n<div class='tag_cloud'>\n".html_safe+
34 tag_cloud( tags, :id, 34 tag_cloud( tags, :id,
35 owner.public_profile_url.merge(:controller => 'profile', :action => 'tags'), 35 owner.public_profile_url.merge(:controller => 'profile', :action => 'tags'),
36 :max_size => 16, :min_size => 9 ) + 36 :max_size => 16, :min_size => 9 ) +
37 - "\n</div><!-- end class='tag_cloud' -->\n"; 37 + "\n</div><!-- end class='tag_cloud' -->\n".html_safe
38 end 38 end
39 39
40 def footer 40 def footer
app/models/uploaded_file.rb
  Diff comments   View file @086f372
@@ -113,7 +113,7 @@ class UploadedFile &lt; Article @@ -113,7 +113,7 @@ class UploadedFile &lt; Article
113 113
114 content_tag( 114 content_tag(
115 'div', 115 'div',
116 - link_to_previous + content_tag('span', _('image %d of %d'), :class => 'total-of-images') % [current_index + 1, total_of_images] + link_to_next, 116 + link_to_previous + (content_tag('span', _('image %d of %d'), :class => 'total-of-images') % [current_index + 1, total_of_images]).html_safe + link_to_next,
117 :class => 'gallery-navigation' 117 :class => 'gallery-navigation'
118 ) 118 )
119 end.to_s + 119 end.to_s +
app/views/box_organizer/_highlights_block.rhtml
  Diff comments   View file @086f372
@@ -5,7 +5,7 @@ @@ -5,7 +5,7 @@
5 <% for image in @block.images do %> 5 <% for image in @block.images do %>
6 <tr> 6 <tr>
7 <td> 7 <td>
8 - <%= select_tag 'block[images][][image_id]', content_tag(:option) + option_groups_from_collection_for_select(@block.folder_choices, :images, :name, :id, :name, image[:image_id].to_i), :style => "width: 100px" %></p> 8 + <%= select_tag 'block[images][][image_id]', content_tag(:option) + option_groups_from_collection_for_select(@block.folder_choices, :images, :name, :id, :name, image[:image_id].to_i).html_safe, :style => "width: 100px" %></p>
9 </td> 9 </td>
10 <td><%= text_field_tag 'block[images][][address]', image[:address], :class => 'highlight-address', :size => 10 %></td> 10 <td><%= text_field_tag 'block[images][][address]', image[:address], :class => 'highlight-address', :size => 10 %></td>
11 <td><%= text_field_tag 'block[images][][position]', image[:position], :class => 'highlight-position', :size => 3 %></td> 11 <td><%= text_field_tag 'block[images][][position]', image[:position], :class => 'highlight-position', :size => 3 %></td>
@@ -17,7 +17,7 @@ @@ -17,7 +17,7 @@
17 17
18 <%= link_to_function(_('New highlight'), nil, :class => 'button icon-add with-text') do |page| 18 <%= link_to_function(_('New highlight'), nil, :class => 'button icon-add with-text') do |page|
19 page.insert_html :bottom, 'highlights', content_tag('tr', 19 page.insert_html :bottom, 'highlights', content_tag('tr',
20 - content_tag('td', select_tag('block[images][][image_id]', content_tag(:option) + option_groups_from_collection_for_select(@block.folder_choices, :images, :name, :id, :name), :style => "width: 100px")) + 20 + content_tag('td', select_tag('block[images][][image_id]', content_tag(:option) + option_groups_from_collection_for_select(@block.folder_choices, :images, :name, :id, :name).html_safe, :style => "width: 100px")) +
21 content_tag('td', text_field_tag('block[images][][address]', nil, :class => 'highlight-address', :size => 10)) + 21 content_tag('td', text_field_tag('block[images][][address]', nil, :class => 'highlight-address', :size => 10)) +
22 content_tag('td', text_field_tag('block[images][][position]', nil, :class => 'highlight-position', :size => 3)) + 22 content_tag('td', text_field_tag('block[images][][position]', nil, :class => 'highlight-position', :size => 3)) +
23 content_tag('td', text_field_tag('block[images][][title]', nil, :class => 'highlight-position', :size => 10)) 23 content_tag('td', text_field_tag('block[images][][title]', nil, :class => 'highlight-position', :size => 10))
app/views/favorite_enterprises/index.rhtml
  Diff comments   View file @086f372
@@ -5,7 +5,7 @@ @@ -5,7 +5,7 @@
5 <ul class="profile-list"> 5 <ul class="profile-list">
6 <% @favorite_enterprises.each do |enterprise| %> 6 <% @favorite_enterprises.each do |enterprise| %>
7 <li> 7 <li>
8 - <%= link_to_profile profile_image(enterprise) + '<br/>' + enterprise.name, 8 + <%= link_to_profile profile_image(enterprise) + '<br/>'.html_safe + enterprise.name,
9 enterprise.identifier, :class => 'profile-link' %> 9 enterprise.identifier, :class => 'profile-link' %>
10 <%# profile_image_link enterprise, :portrait, 'div' %> 10 <%# profile_image_link enterprise, :portrait, 'div' %>
11 <div class="controll"> 11 <div class="controll">
app/views/themes/index.rhtml
  Diff comments   View file @086f372
@@ -11,17 +11,17 @@ @@ -11,17 +11,17 @@
11 base_content = image_tag( 11 base_content = image_tag(
12 "/designs/templates/#{template.id}/thumbnail.png", 12 "/designs/templates/#{template.id}/thumbnail.png",
13 :alt => _('The "%s" template')) + 13 :alt => _('The "%s" template')) +
14 - '<div class="opt-info">' + 14 + '<div class="opt-info">'.html_safe +
15 content_tag('strong', template.id, :class => 'name') + 15 content_tag('strong', template.id, :class => 'name') +
16 - ' <br/> ' 16 + ' <br/> '.html_safe
17 17
18 if @current_template == template.id # selected 18 if @current_template == template.id # selected
19 content_tag( 'div', 19 content_tag( 'div',
20 - base_content + content_tag('big', _('(current)') ) +'</div>', 20 + base_content + content_tag('big', _('(current)') ) +'</div>'.html_safe,
21 :class => 'template-opt list-opt selected') 21 :class => 'template-opt list-opt selected')
22 else # Not selected 22 else # Not selected
23 link_to( 23 link_to(
24 - base_content +'</div>', 24 + base_content +'</div>'.html_safe,
25 { :action => 'set_layout_template', :id => template.id }, 25 { :action => 'set_layout_template', :id => template.id },
26 :class => 'template-opt list-opt') 26 :class => 'template-opt list-opt')
27 end 27 end
@@ -48,17 +48,17 @@ @@ -48,17 +48,17 @@
48 base_content = image_tag( 48 base_content = image_tag(
49 "/designs/themes/#{theme.id}/preview.png", 49 "/designs/themes/#{theme.id}/preview.png",
50 :alt => (_('The "%s" theme.') % theme.name)) + 50 :alt => (_('The "%s" theme.') % theme.name)) +
51 - '<div class="opt-info">' + 51 + '<div class="opt-info">'.html_safe +
52 content_tag('strong', theme.name, :class => 'name') + 52 content_tag('strong', theme.name, :class => 'name') +
53 - ' <br/> ' 53 + ' <br/> '.html_safe
54 54
55 if theme.id == @current_theme # selected 55 if theme.id == @current_theme # selected
56 content_tag( 'div', 56 content_tag( 'div',
57 - base_content + content_tag('big', _('(current)') ) +'</div>', 57 + base_content + content_tag('big', _('(current)') ) +'</div>'.html_safe,
58 :class => 'theme-opt list-opt selected') 58 :class => 'theme-opt list-opt selected')
59 else # Not selected 59 else # Not selected
60 link_to( 60 link_to(
61 - base_content + '</div>', 61 + base_content + '</div>'.html_safe,
62 { :action => 'set', :id => theme.id }, 62 { :action => 'set', :id => theme.id },
63 :class => 'theme-opt list-opt') 63 :class => 'theme-opt list-opt')
64 end 64 end