Commit 1b6f9e37f5111d4029d9c106946a43e12926fff4
Exists in
master
and in
20 other branches
Merge branch 'noosfero' into rails4
Showing
40 changed files
with
100 additions
and
279 deletions
Show diff stats
app/models/article.rb
| ... | ... | @@ -811,7 +811,7 @@ class Article < ActiveRecord::Base |
| 811 | 811 | end |
| 812 | 812 | |
| 813 | 813 | def first_image |
| 814 | - img = ( image.present? && { 'src' => image.public_filename } ) || | |
| 814 | + img = ( image.present? && { 'src' => File.join([Noosfero.root, image.public_filename].join) } ) || | |
| 815 | 815 | Nokogiri::HTML.fragment(self.lead.to_s).css('img[src]').first || |
| 816 | 816 | Nokogiri::HTML.fragment(self.body.to_s).search('img').first |
| 817 | 817 | img.nil? ? '' : img['src'] | ... | ... |
app/models/favorite_enterprises_block.rb
| ... | ... | @@ -16,7 +16,7 @@ class FavoriteEnterprisesBlock < ProfileListBlock |
| 16 | 16 | owner = self.owner |
| 17 | 17 | return '' unless owner.kind_of?(Person) |
| 18 | 18 | proc do |
| 19 | - link_to _('View all'), :profile => owner.identifier, :controller => 'profile', :action => 'favorite_enterprises' | |
| 19 | + link_to _('enterprises|View all'), {:profile => owner.identifier, :controller => 'profile', :action => 'favorite_enterprises'}, :class => 'view-all' | |
| 20 | 20 | end |
| 21 | 21 | end |
| 22 | 22 | ... | ... |
app/views/blocks/highlights.html.erb
| ... | ... | @@ -4,7 +4,7 @@ |
| 4 | 4 | <div class='highlights-container'> |
| 5 | 5 | <% block.featured_images.each do |img| %> |
| 6 | 6 | <a href="<%= img[:address] %>" title="<%= img[:title] %>" class="highlights-image-link"> |
| 7 | - <%= content_tag :img, nil, :src => img[:image_src], :alt => img[:title] %> | |
| 7 | + <%= image_tag [Noosfero.root, img[:image_src]].join, alt: img[:title] %> | |
| 8 | 8 | <p class="highlights-label"><%= img[:title] %></p> |
| 9 | 9 | </a> |
| 10 | 10 | <% end %> | ... | ... |
app/views/cms/media_panel/_image.html.erb
| 1 | 1 | <div class="item image" data-item="span" title="<%= @file.name %>"> |
| 2 | 2 | <span> |
| 3 | - <img src="<%= @file.public_filename(:uploaded) %>"/> | |
| 3 | + <%= image_tag(@file.public_filename(:uploaded)) %> | |
| 4 | 4 | </span> |
| 5 | 5 | <div class="controls image-controls"> |
| 6 | 6 | <a class="button icon-add add-to-text" href="#"><span><%= _('Add to the text') %></span></a> | ... | ... |
app/views/profile_editor/index.html.erb
| ... | ... | @@ -28,7 +28,7 @@ |
| 28 | 28 | |
| 29 | 29 | <%= control_panel_button(_('Manage Content'), 'cms', :controller => 'cms') %> |
| 30 | 30 | |
| 31 | - <%= control_panel_button(_('Manage Roles'), 'roles', :controller => 'profile_roles') %> | |
| 31 | + <%= control_panel_button(_('Manage Roles'), 'roles', :controller => 'profile_roles') if profile.organization? %> | |
| 32 | 32 | |
| 33 | 33 | <% unless profile.enterprise? %> |
| 34 | 34 | <%= case profile.blogs.count | ... | ... |
lib/tasks/backup.rake
| ... | ... | @@ -18,14 +18,15 @@ backup_dirs = [ |
| 18 | 18 | desc "Creates a backup of the database and uploaded files" |
| 19 | 19 | task :backup => :check_backup_support do |
| 20 | 20 | dirs = backup_dirs.select { |d| File.exists?(d) } |
| 21 | + rails_env = ENV["RAILS_ENV"] || 'production' | |
| 21 | 22 | |
| 22 | 23 | backup_name = Time.now.strftime('%Y-%m-%d-%R') |
| 23 | 24 | backup_file = File.join('tmp/backup', backup_name) + '.tar.gz' |
| 24 | 25 | mkdir_p 'tmp/backup' |
| 25 | 26 | dump = File.join('tmp/backup', backup_name) + '.sql' |
| 26 | 27 | |
| 27 | - database = $config['production']['database'] | |
| 28 | - host = $config['production']['host'] | |
| 28 | + database = $config[rails_env]['database'] | |
| 29 | + host = $config[rails_env]['host'] | |
| 29 | 30 | host = host && "-h #{host}" || "" |
| 30 | 31 | sh "pg_dump #{host} #{database} > #{dump}" |
| 31 | 32 | |
| ... | ... | @@ -52,6 +53,7 @@ end |
| 52 | 53 | desc "Restores a backup created previousy with \`rake backup\`" |
| 53 | 54 | task :restore => :check_backup_support do |
| 54 | 55 | backup = ENV["BACKUP"] |
| 56 | + rails_env = ENV["RAILS_ENV"] || 'production' | |
| 55 | 57 | unless backup |
| 56 | 58 | puts "usage: rake restore BACKUP=/path/to/backup" |
| 57 | 59 | exit 1 |
| ... | ... | @@ -81,9 +83,9 @@ task :restore => :check_backup_support do |
| 81 | 83 | end |
| 82 | 84 | dump = dumps.first |
| 83 | 85 | |
| 84 | - database = $config['production']['database'] | |
| 85 | - username = $config['production']['username'] | |
| 86 | - host = $config['production']['host'] | |
| 86 | + database = $config[rails_env]['database'] | |
| 87 | + username = $config[rails_env]['username'] | |
| 88 | + host = $config[rails_env]['host'] | |
| 87 | 89 | host = host && "-h #{host}" || "" |
| 88 | 90 | |
| 89 | 91 | puts "WARNING: backups should be restored to an empty database, otherwise" |
| ... | ... | @@ -102,10 +104,39 @@ task :restore => :check_backup_support do |
| 102 | 104 | end |
| 103 | 105 | |
| 104 | 106 | sh 'tar', 'xaf', backup |
| 105 | - sh "rails dbconsole production < #{dump}" | |
| 107 | + sh "rails dbconsole #{rails_env} < #{dump}" | |
| 106 | 108 | rm_f dump |
| 107 | 109 | |
| 108 | 110 | puts "****************************************************" |
| 109 | 111 | puts "Backup restored!" |
| 110 | 112 | puts "****************************************************" |
| 111 | 113 | end |
| 114 | + | |
| 115 | +desc 'Removes emails from database' | |
| 116 | +task 'restore:remove_emails' => :environment do | |
| 117 | + connection = ActiveRecord::Base.connection | |
| 118 | + [ | |
| 119 | + "UPDATE users SET email = concat('user', id, '@localhost.localdomain')", | |
| 120 | + "UPDATE environments SET contact_email = concat('environment', id, '@localhost.localdomain')", | |
| 121 | + ].each do |update| | |
| 122 | + puts update | |
| 123 | + connection.execute(update) | |
| 124 | + end | |
| 125 | + | |
| 126 | + profiles = connection.execute("select id, data from profiles") | |
| 127 | + profiles.each do |profile| | |
| 128 | + if profile['data'] | |
| 129 | + data = YAML.load(profile['data']) | |
| 130 | + if data[:contact_email] && data[:contact_email] !~ /@localhost.localdomain$/ | |
| 131 | + data[:contact_email] = ['profile', profile['id'], '@localhost.localdomain'].join | |
| 132 | + sql = Environment.send(:sanitize_sql, [ | |
| 133 | + "UPDATE profiles SET data = ? WHERE id = ?", | |
| 134 | + YAML.dump(data), | |
| 135 | + profile['id'], | |
| 136 | + ]) | |
| 137 | + puts sql | |
| 138 | + connection.execute(sql) | |
| 139 | + end | |
| 140 | + end | |
| 141 | + end | |
| 142 | +end | ... | ... |
plugins/environment_notification/controllers/public/environment_notification_plugin_public_controller.rb
plugins/lattes_curriculum/lib/html_parser.rb
plugins/ldap/Gemfile
plugins/ldap/dependencies.rb
plugins/ldap/lib/ldap_authentication.rb
plugins/newsletter/lib/newsletter_plugin/newsletter.rb
| ... | ... | @@ -111,15 +111,15 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
| 111 | 111 | include DatesHelper |
| 112 | 112 | |
| 113 | 113 | def message_to_public_link |
| 114 | - content_tag(:p, N_("If you can't view this email, %s.") % link_to(N_('click here'), '{mailing_url}'), :id => 'newsletter-public-link') | |
| 114 | + content_tag(:p, _("If you can't view this email, %s.") % link_to(_('click here'), '{mailing_url}'), :id => 'newsletter-public-link') | |
| 115 | 115 | end |
| 116 | 116 | |
| 117 | 117 | def message_to_unsubscribe |
| 118 | - content_tag(:div, N_("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.") % link_to(N_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe') | |
| 118 | + content_tag(:div, _("This is an automatically generated email, please do not reply. If you do not wish to receive future newsletter emails, %s.") % link_to(_("cancel your subscription here"), self.unsubscribe_url, :style => CSS['public-link']), :style => CSS['newsletter-unsubscribe'], :id => 'newsletter-unsubscribe') | |
| 119 | 119 | end |
| 120 | 120 | |
| 121 | 121 | def read_more(link_address) |
| 122 | - content_tag(:p, link_to(N_('Read more'), link_address, :style => CSS['read-more-link']), :style => CSS['read-more-line']) | |
| 122 | + content_tag(:p, link_to(_('Read more'), link_address, :style => CSS['read-more-link']), :style => CSS['read-more-line']) | |
| 123 | 123 | end |
| 124 | 124 | |
| 125 | 125 | def post_with_image(post) |
| ... | ... | @@ -141,7 +141,7 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
| 141 | 141 | end |
| 142 | 142 | |
| 143 | 143 | def default_subject |
| 144 | - N_('Breaking news') | |
| 144 | + _('Breaking news') | |
| 145 | 145 | end |
| 146 | 146 | |
| 147 | 147 | def subject | ... | ... |
plugins/solr/dependencies.rb
plugins/solr/install.rb
plugins/solr/vendor/plugins/acts_as_solr_reloaded/Rakefile
plugins/solr/vendor/plugins/acts_as_solr_reloaded/lib/acts_as_solr/tasks.rb
plugins/solr/vendor/plugins/acts_as_solr_reloaded/lib/solr/xml.rb
| ... | ... | @@ -16,7 +16,6 @@ end |
| 16 | 16 | begin |
| 17 | 17 | |
| 18 | 18 | # If we can load rubygems and libxml-ruby... |
| 19 | - require 'rubygems' | |
| 20 | 19 | require 'xml/libxml' |
| 21 | 20 | raise "acts_as_solr requires libxml-ruby 0.7 or greater" unless XML::Node.public_instance_methods.collect{|x| x.to_sym}.include?(:attributes) |
| 22 | 21 | ... | ... |
plugins/solr/vendor/plugins/acts_as_solr_reloaded/solr_test_rakefile.rb
plugins/solr/vendor/plugins/acts_as_solr_reloaded/test/test_helper.rb
plugins/solr/vendor/plugins/acts_as_solr_reloaded/test/unit/test_helper.rb
plugins/spaminator/dependencies.rb
public/designs/themes/base/style.scss
| ... | ... | @@ -484,6 +484,7 @@ div#notice { |
| 484 | 484 | #content .profile-list-block ul, |
| 485 | 485 | #content .enterprises-block ul, |
| 486 | 486 | #content .communities-block ul, |
| 487 | +#content .favorite-enterprises-block ul, | |
| 487 | 488 | #content .fans-block ul { |
| 488 | 489 | min-width: 196px; |
| 489 | 490 | width: 192px; |
| ... | ... | @@ -499,15 +500,14 @@ div#notice { |
| 499 | 500 | display: block; |
| 500 | 501 | } |
| 501 | 502 | |
| 503 | +.block-footer-content { | |
| 504 | + text-align: center; | |
| 505 | + padding-top: 3px; | |
| 506 | +} | |
| 507 | + | |
| 502 | 508 | .block-footer-content a.view-all { |
| 503 | - position: absolute; | |
| 504 | - top: 2px; | |
| 505 | - right: 0px; | |
| 506 | 509 | font-size: 11px; |
| 507 | 510 | color: #000; |
| 508 | - text-decoration: none; | |
| 509 | - padding-right: 15px; | |
| 510 | - background: url(imgs/arrow-right-p.png) 100% 50% no-repeat; | |
| 511 | 511 | } |
| 512 | 512 | |
| 513 | 513 | #content .profile-list-block .block-title { | ... | ... |
public/stylesheets/cms/media-panel.scss
| ... | ... | @@ -5,7 +5,7 @@ |
| 5 | 5 | } |
| 6 | 6 | |
| 7 | 7 | .controller-cms .show-media-panel .with_media_panel { |
| 8 | - width: 600px; | |
| 8 | + width: 540px; | |
| 9 | 9 | transition: 1s; |
| 10 | 10 | } |
| 11 | 11 | |
| ... | ... | @@ -77,7 +77,7 @@ |
| 77 | 77 | |
| 78 | 78 | .text-editor-sidebar { |
| 79 | 79 | position: absolute; |
| 80 | - width: 280px; | |
| 80 | + width: 340px; | |
| 81 | 81 | right: 20px; |
| 82 | 82 | top: 70px; |
| 83 | 83 | max-height: 45px; |
| ... | ... | @@ -141,7 +141,7 @@ |
| 141 | 141 | } |
| 142 | 142 | |
| 143 | 143 | .text-editor-sidebar .image { |
| 144 | - width: 80px; | |
| 144 | + width: 100px; | |
| 145 | 145 | margin: 2px; |
| 146 | 146 | height: 80px; |
| 147 | 147 | line-height: 80px; | ... | ... |
script/move-translations-to-plugins.rb
| ... | ... | @@ -1,34 +0,0 @@ |
| 1 | -languages = Dir.glob('po/*').reject { |f| f =~ /pot$/ }.map { |f| File.basename(f) } | |
| 2 | - | |
| 3 | -core_files = `grep '#:' po/noosfero.pot | cut -d ':' -f 2 | sed 's/^\s*//' | grep -v '^plugins' | sort -u`.split.map { |f| [ '-N', f] }.flatten | |
| 4 | - | |
| 5 | -languages.each do |lang| | |
| 6 | - | |
| 7 | - lang_plugins_po = "tmp/#{lang}_plugins.po" | |
| 8 | - system('msggrep', '-v', *core_files, '--output-file', lang_plugins_po, "po/#{lang}/noosfero.po") | |
| 9 | - | |
| 10 | - Dir.glob('plugins/*').each do |plugindir| | |
| 11 | - plugin = File.basename(plugindir) | |
| 12 | - po = File.join(plugindir, 'po', lang, plugin + '.po') | |
| 13 | - | |
| 14 | - files = [] | |
| 15 | - Dir.glob("#{plugindir}/**/*.{rb,html.erb}").each do |f| | |
| 16 | - files << '-N' << f | |
| 17 | - end | |
| 18 | - | |
| 19 | - system('mkdir', '-p', File.dirname(po)) | |
| 20 | - system('msggrep', *files, '--output-file', po, lang_plugins_po) | |
| 21 | - | |
| 22 | - if system("msgfmt --statistics -o /dev/null #{po} 2>&1 | grep -q '^0 translated message'") | |
| 23 | - # empty .po | |
| 24 | - system('rm', '-f', po) | |
| 25 | - puts "[#{lang}] #{plugin}: PO file empty, deleted" | |
| 26 | - else | |
| 27 | - puts "[#{lang}] #{plugin}" | |
| 28 | - end | |
| 29 | - | |
| 30 | - end | |
| 31 | - | |
| 32 | - system('rm', '-f', lang_plugins_po) | |
| 33 | - system('find plugins/*/po -type d -empty -delete') | |
| 34 | -end |
script/vagrant
| ... | ... | @@ -12,5 +12,13 @@ for ip in 10.0.2.2 192.168.122.1; do |
| 12 | 12 | fi |
| 13 | 13 | done |
| 14 | 14 | |
| 15 | +sudo apt-get install -qy postfix | |
| 16 | +sudo postconf virtual_alias_maps=hash:/etc/postfix/virtual | |
| 17 | +sudo tee /etc/postfix/virtual <<EOF | |
| 18 | +@localhost.localdomain vagrant | |
| 19 | +EOF | |
| 20 | +sudo postmap /etc/postfix/virtual | |
| 21 | +sudo service postfix reload | |
| 22 | + | |
| 15 | 23 | cd /vagrant |
| 16 | 24 | ./script/quick-start | ... | ... |
test/functional/profile_editor_controller_test.rb
| ... | ... | @@ -1207,4 +1207,10 @@ class ProfileEditorControllerTest < ActionController::TestCase |
| 1207 | 1207 | get :header_footer, :profile => user.identifier |
| 1208 | 1208 | assert_response :success |
| 1209 | 1209 | end |
| 1210 | + | |
| 1211 | + should 'not display button to manage roles on control panel of person' do | |
| 1212 | + get :index, :profile => profile.identifier | |
| 1213 | + assert_no_tag :tag => 'a', :attributes => { :href => "/myprofile/default_user/profile_roles" } | |
| 1214 | + end | |
| 1215 | + | |
| 1210 | 1216 | end | ... | ... |
test/unit/article_test.rb
| ... | ... | @@ -931,14 +931,6 @@ class ArticleTest < ActiveSupport::TestCase |
| 931 | 931 | assert_no_match(/<script>/, a.name) |
| 932 | 932 | end |
| 933 | 933 | |
| 934 | - should 'escape malformed html tags' do | |
| 935 | - article = Article.new | |
| 936 | - article.name = "<h1 Malformed >> html >< tag" | |
| 937 | - article.valid? | |
| 938 | - | |
| 939 | - assert_equal '<h1>> html ></h1>', article.name | |
| 940 | - end | |
| 941 | - | |
| 942 | 934 | should 'return truncated title in short_title' do |
| 943 | 935 | article = Article.new |
| 944 | 936 | article.name = 'a123456789abcdefghij' | ... | ... |
test/unit/comment_test.rb
| ... | ... | @@ -202,17 +202,6 @@ class CommentTest < ActiveSupport::TestCase |
| 202 | 202 | assert comment.errors[:body.to_s].present? |
| 203 | 203 | end |
| 204 | 204 | |
| 205 | - should 'escape malformed html tags' do | |
| 206 | - owner = create_user('testuser').person | |
| 207 | - article = owner.articles.create(:name => 'test', :body => '...') | |
| 208 | - comment = build(Comment, :article => article, :title => '<h1 title </h1>>> sd f <<', :body => '<h1>> sdf><asd>< body </h1>', :name => '<h1 name </h1>>><<dfsf<sd', :email => 'cracker@test.org') | |
| 209 | - comment.valid? | |
| 210 | - | |
| 211 | - assert_no_match /[<>]/, comment.title | |
| 212 | - assert_no_match /[<>]/, comment.body | |
| 213 | - assert_no_match /[<>]/, comment.name | |
| 214 | - end | |
| 215 | - | |
| 216 | 205 | should 'use an existing image for deleted comments' do |
| 217 | 206 | image = Comment.new.removed_user_image[1..-1] |
| 218 | 207 | assert File.exists?(Rails.root.join('public', image)), "#{image} does not exist." |
| ... | ... | @@ -755,6 +744,18 @@ class CommentTest < ActiveSupport::TestCase |
| 755 | 744 | comment.destroy |
| 756 | 745 | end |
| 757 | 746 | |
| 747 | + should 'not double escape html content after validation' do | |
| 748 | + comment = create_comment | |
| 749 | + body = 'Comment with "quotes"' | |
| 750 | + comment.body = body | |
| 751 | + | |
| 752 | + comment.valid? | |
| 753 | + assert_equal body, comment.body | |
| 754 | + | |
| 755 | + comment.valid? | |
| 756 | + assert_equal body, comment.body | |
| 757 | + end | |
| 758 | + | |
| 758 | 759 | private |
| 759 | 760 | |
| 760 | 761 | def create_comment(args = {}) | ... | ... |
test/unit/community_test.rb
| ... | ... | @@ -242,20 +242,6 @@ class CommunityTest < ActiveSupport::TestCase |
| 242 | 242 | end |
| 243 | 243 | end |
| 244 | 244 | |
| 245 | - should 'escape malformed html tags' do | |
| 246 | - community = Community.new | |
| 247 | - community.name = "<h1 Malformed >> html >< tag" | |
| 248 | - community.address = "<h1 Malformed >,<<<asfdf> html >< tag" | |
| 249 | - community.contact_phone = "<h1 Malformed<<> >> html >><>< tag" | |
| 250 | - community.description = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 251 | - community.valid? | |
| 252 | - | |
| 253 | - assert_no_match /[<>]/, community.name | |
| 254 | - assert_no_match /[<>]/, community.address | |
| 255 | - assert_no_match /[<>]/, community.contact_phone | |
| 256 | - assert_no_match /[<>]/, community.description | |
| 257 | - end | |
| 258 | - | |
| 259 | 245 | should "the followed_by method be protected and true to the community members by default" do |
| 260 | 246 | c = fast_create(Community) |
| 261 | 247 | p1 = fast_create(Person) | ... | ... |
test/unit/environment_test.rb
| ... | ... | @@ -1140,14 +1140,6 @@ class EnvironmentTest < ActiveSupport::TestCase |
| 1140 | 1140 | assert_equal "<h1> Disabled Enterprise </h1>", environment.message_for_disabled_enterprise |
| 1141 | 1141 | end |
| 1142 | 1142 | |
| 1143 | - should 'escape malformed html tags' do | |
| 1144 | - environment = Environment.new | |
| 1145 | - environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise /h1>" | |
| 1146 | - environment.valid? | |
| 1147 | - | |
| 1148 | - assert_match /<h1> Disabled Enterprise \/h1><\/h1>/, environment.message_for_disabled_enterprise | |
| 1149 | - end | |
| 1150 | - | |
| 1151 | 1143 | should 'not sanitize html comments' do |
| 1152 | 1144 | environment = Environment.new |
| 1153 | 1145 | environment.message_for_disabled_enterprise = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | ... | ... |
test/unit/event_test.rb
| ... | ... | @@ -263,24 +263,6 @@ class EventTest < ActiveSupport::TestCase |
| 263 | 263 | assert_not_includes profile.events.by_day(today), event_out_of_range |
| 264 | 264 | end |
| 265 | 265 | |
| 266 | - should 'filter fields with full filter' do | |
| 267 | - event = Event.new | |
| 268 | - event.link = "<h1 Malformed >> html >< tag" | |
| 269 | - event.valid? | |
| 270 | - | |
| 271 | - assert_no_match /[<>]/, event.link | |
| 272 | - end | |
| 273 | - | |
| 274 | - should 'filter fields with white_list filter' do | |
| 275 | - event = Event.new | |
| 276 | - event.body = "<h1> Description </h1>" | |
| 277 | - event.address = "<strong> Address </strong>" | |
| 278 | - event.valid? | |
| 279 | - | |
| 280 | - assert_equal "<h1> Description </h1>", event.body | |
| 281 | - assert_equal "<strong> Address </strong>", event.address | |
| 282 | - end | |
| 283 | - | |
| 284 | 266 | should 'not filter & on link field' do |
| 285 | 267 | event = Event.new |
| 286 | 268 | event.link = 'myevent.com/?param1=value¶m2=value2' |
| ... | ... | @@ -289,16 +271,6 @@ class EventTest < ActiveSupport::TestCase |
| 289 | 271 | assert_equal "http://myevent.com/?param1=value¶m2=value2", event.link |
| 290 | 272 | end |
| 291 | 273 | |
| 292 | - should 'escape malformed html tags' do | |
| 293 | - event = Event.new | |
| 294 | - event.body = "<h1<< Description >>/h1>" | |
| 295 | - event.address = "<strong>><< Address <strong>" | |
| 296 | - event.valid? | |
| 297 | - | |
| 298 | - assert_match /<h1>>\/h1><\/h1>/, event.body | |
| 299 | - assert_match /<strong>><\/strong>/, event.address | |
| 300 | - end | |
| 301 | - | |
| 302 | 274 | should 'not sanitize html comments' do |
| 303 | 275 | event = Event.new |
| 304 | 276 | event.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | ... | ... |
test/unit/folder_test.rb
| ... | ... | @@ -133,14 +133,6 @@ class FolderTest < ActiveSupport::TestCase |
| 133 | 133 | assert_match /<p><!-- .* --> <\/p><h1> Wellformed html code <\/h1>/, folder.body |
| 134 | 134 | end |
| 135 | 135 | |
| 136 | - should 'escape malformed html tags' do | |
| 137 | - folder = Folder.new | |
| 138 | - folder.body = "<h1<< Description >>/h1>" | |
| 139 | - folder.valid? | |
| 140 | - | |
| 141 | - assert_match /<h1>>\/h1><\/h1>/, folder.body | |
| 142 | - end | |
| 143 | - | |
| 144 | 136 | should 'not have a blog as parent' do |
| 145 | 137 | folder = Folder.new |
| 146 | 138 | folder.parent = Blog.new | ... | ... |
test/unit/gallery_test.rb
| ... | ... | @@ -134,14 +134,6 @@ class GalleryTest < ActiveSupport::TestCase |
| 134 | 134 | assert_match /<p><!-- .* --> <\/p><h1> Wellformed html code <\/h1>/, gallery.body |
| 135 | 135 | end |
| 136 | 136 | |
| 137 | - should 'escape malformed html tags' do | |
| 138 | - gallery = Gallery.new | |
| 139 | - gallery.body = "<h1<< Description >>/h1>" | |
| 140 | - gallery.valid? | |
| 141 | - | |
| 142 | - assert_match /<h1>>\/h1><\/h1>/, gallery.body | |
| 143 | - end | |
| 144 | - | |
| 145 | 137 | should 'accept uploads' do |
| 146 | 138 | folder = fast_create(Gallery) |
| 147 | 139 | assert folder.accept_uploads? | ... | ... |
test/unit/highlights_block_test.rb
| ... | ... | @@ -132,6 +132,19 @@ class HighlightsBlockTest < ActiveSupport::TestCase |
| 132 | 132 | assert_equal block.images.first[:address], "/social/address" |
| 133 | 133 | end |
| 134 | 134 | |
| 135 | + should 'display images with subdir src' do | |
| 136 | + Noosfero.stubs(:root).returns("/social") | |
| 137 | + f1 = mock() | |
| 138 | + f1.expects(:public_filename).returns('/img_address') | |
| 139 | + UploadedFile.expects(:find).with(1).returns(f1) | |
| 140 | + block = HighlightsBlock.new | |
| 141 | + i1 = {:image_id => 1, :address => '/address'} | |
| 142 | + block.images = [i1] | |
| 143 | + block.save! | |
| 144 | + | |
| 145 | + assert_tag_in_string instance_eval(& block.content), :tag => 'img', :attributes => { :src => "/social/img_address" } | |
| 146 | + end | |
| 147 | + | |
| 135 | 148 | [Environment, Profile].each do |klass| |
| 136 | 149 | should "choose between owner galleries when owner is #{klass.name}" do |
| 137 | 150 | owner = fast_create(klass) | ... | ... |
test/unit/organization_test.rb
| ... | ... | @@ -253,25 +253,6 @@ class OrganizationTest < ActiveSupport::TestCase |
| 253 | 253 | assert organization.closed |
| 254 | 254 | end |
| 255 | 255 | |
| 256 | - should 'escape malformed html tags' do | |
| 257 | - organization = Organization.new | |
| 258 | - organization.acronym = "<h1 Malformed >> html >< tag" | |
| 259 | - organization.contact_person = "<h1 Malformed >,<<<asfdf> html >< tag" | |
| 260 | - organization.contact_email = "<h1<malformed@html.com>>" | |
| 261 | - organization.description = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 262 | - organization.legal_form = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 263 | - organization.economic_activity = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 264 | - organization.management_information = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 265 | - organization.valid? | |
| 266 | - | |
| 267 | - assert_no_match /[<>]/, organization.acronym | |
| 268 | - assert_no_match /[<>]/, organization.contact_person | |
| 269 | - assert_no_match /[<>]/, organization.contact_email | |
| 270 | - assert_no_match /[<>]/, organization.legal_form | |
| 271 | - assert_no_match /[<>]/, organization.economic_activity | |
| 272 | - assert_no_match /[<>]/, organization.management_information | |
| 273 | - end | |
| 274 | - | |
| 275 | 256 | should "the followed_by? be true only to members" do |
| 276 | 257 | o = fast_create(Organization) |
| 277 | 258 | p1 = fast_create(Person) | ... | ... |
test/unit/product_test.rb
| ... | ... | @@ -171,16 +171,6 @@ class ProductTest < ActiveSupport::TestCase |
| 171 | 171 | assert_equal @product_category.name, product.name |
| 172 | 172 | end |
| 173 | 173 | |
| 174 | - should 'escape malformed html tags' do | |
| 175 | - product = build(Product, :product_category => @product_category) | |
| 176 | - product.name = "<h1 Malformed >> html >< tag" | |
| 177 | - product.description = "<h1 Malformed</h1>><<<a>> >> html >< tag" | |
| 178 | - product.valid? | |
| 179 | - | |
| 180 | - assert_no_match /[<>]/, product.name | |
| 181 | - assert_match /<h1>>> >> html ><\/h1>/, product.description | |
| 182 | - end | |
| 183 | - | |
| 184 | 174 | should 'use name of category when has no name yet' do |
| 185 | 175 | product = Product.new |
| 186 | 176 | product.product_category = @product_category | ... | ... |
test/unit/profile_test.rb
| ... | ... | @@ -1699,34 +1699,6 @@ class ProfileTest < ActiveSupport::TestCase |
| 1699 | 1699 | assert_equal "<strong> Custom Footer <strong>", profile.custom_footer |
| 1700 | 1700 | end |
| 1701 | 1701 | |
| 1702 | - should 'escape malformed html tags' do | |
| 1703 | - profile = Profile.new | |
| 1704 | - profile.name = "<h1 Malformed >> html >>></a>< tag" | |
| 1705 | - profile.nickname = "<h1 Malformed <<h1>>< html >< tag" | |
| 1706 | - profile.address = "<h1><</h2< Malformed >> html >< tag" | |
| 1707 | - profile.contact_phone = "<h1<< Malformed ><>>> html >< tag" | |
| 1708 | - profile.description = "<h1<a> Malformed >> html ></a>< tag" | |
| 1709 | - profile.valid? | |
| 1710 | - | |
| 1711 | - assert_no_match /[<>]/, profile.name | |
| 1712 | - assert_no_match /[<>]/, profile.nickname | |
| 1713 | - assert_no_match /[<>]/, profile.address | |
| 1714 | - assert_no_match /[<>]/, profile.contact_phone | |
| 1715 | - assert_no_match /[<>]/, profile.description | |
| 1716 | - assert_no_match /[<>]/, profile.custom_header | |
| 1717 | - assert_no_match /[<>]/, profile.custom_footer | |
| 1718 | - end | |
| 1719 | - | |
| 1720 | - should 'escape malformed html tags in header and footer' do | |
| 1721 | - profile = fast_create(Profile) | |
| 1722 | - profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag" | |
| 1723 | - profile.custom_footer = "<h1> Malformed <><< html ></a>< tag" | |
| 1724 | - profile.save | |
| 1725 | - | |
| 1726 | - assert_match /<h1>> Malformed >> html ><\/h1>/, profile.custom_header | |
| 1727 | - assert_match /<h1> Malformed <\/h1>/, profile.custom_footer | |
| 1728 | - end | |
| 1729 | - | |
| 1730 | 1702 | should 'not sanitize html comments' do |
| 1731 | 1703 | profile = Profile.new |
| 1732 | 1704 | profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | ... | ... |
test/unit/text_article_test.rb
| ... | ... | @@ -14,15 +14,6 @@ class TextArticleTest < ActiveSupport::TestCase |
| 14 | 14 | assert_includes TextArticle.find(:all), article |
| 15 | 15 | end |
| 16 | 16 | |
| 17 | - should 'remove HTML from name' do | |
| 18 | - person = create_user('testuser').person | |
| 19 | - article = TextArticle.new(:profile => person) | |
| 20 | - article.name = "<h1 Malformed >> html >>></a>< tag" | |
| 21 | - article.valid? | |
| 22 | - | |
| 23 | - assert_no_match /[<>]/, article.name | |
| 24 | - end | |
| 25 | - | |
| 26 | 17 | should 'be translatable' do |
| 27 | 18 | assert_kind_of Noosfero::TranslatableContent, TextArticle.new |
| 28 | 19 | end | ... | ... |
test/unit/validation_info_test.rb
| ... | ... | @@ -21,14 +21,4 @@ class ValidationInfoTest < ActiveSupport::TestCase |
| 21 | 21 | end |
| 22 | 22 | end |
| 23 | 23 | |
| 24 | - should 'escape malformed html tags' do | |
| 25 | - info = ValidationInfo.new | |
| 26 | - info.validation_methodology = "<h1 Malformed >> html >< tag" | |
| 27 | - info.restrictions = "<h1 Malformed >> html >< tag" | |
| 28 | - info.valid? | |
| 29 | - | |
| 30 | - assert_no_match /[<>]/, info.validation_methodology | |
| 31 | - assert_no_match /[<>]/, info.restrictions | |
| 32 | - end | |
| 33 | - | |
| 34 | 24 | end | ... | ... |
vendor/plugins/xss_terminate/lib/xss_terminate.rb
| ... | ... | @@ -38,7 +38,7 @@ module XssTerminate |
| 38 | 38 | |
| 39 | 39 | module InstanceMethods |
| 40 | 40 | |
| 41 | - def sanitize_field(sanitizer, field, serialized = false, with= :full) | |
| 41 | + def sanitize_field(sanitizer, field, serialized = false) | |
| 42 | 42 | field = field.to_sym |
| 43 | 43 | if serialized |
| 44 | 44 | puts field |
| ... | ... | @@ -49,25 +49,11 @@ module XssTerminate |
| 49 | 49 | else |
| 50 | 50 | if self[field] |
| 51 | 51 | self[field] = sanitizer.sanitize(self[field]) |
| 52 | - | |
| 53 | - if with == :full | |
| 54 | - self[field] = CGI.escapeHTML(self[field]) | |
| 55 | - elsif with == :white_list | |
| 56 | - self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_code?(self[field]) | |
| 57 | - end | |
| 58 | - | |
| 59 | 52 | else |
| 60 | 53 | value = self.send("#{field}") |
| 61 | 54 | return unless value |
| 62 | 55 | value = sanitizer.sanitize(value) |
| 63 | 56 | self.send("#{field}=", value) |
| 64 | - | |
| 65 | - if with == :full | |
| 66 | - self.send("#{field}=", CGI.escapeHTML(value)) | |
| 67 | - elsif with == :white_list | |
| 68 | - self.send("#{field}=", CGI.escapeHTML(value)) if !wellformed_html_code?(value) | |
| 69 | - end | |
| 70 | - | |
| 71 | 57 | end |
| 72 | 58 | end |
| 73 | 59 | end |
| ... | ... | @@ -86,7 +72,7 @@ module XssTerminate |
| 86 | 72 | sanitizer = ActionView::Base.full_sanitizer |
| 87 | 73 | columns, columns_serialized = sanitize_columns(:full) |
| 88 | 74 | columns.each do |column| |
| 89 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :full) | |
| 75 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 90 | 76 | end |
| 91 | 77 | end |
| 92 | 78 | |
| ... | ... | @@ -94,7 +80,7 @@ module XssTerminate |
| 94 | 80 | sanitizer = ActionView::Base.white_list_sanitizer |
| 95 | 81 | columns, columns_serialized = sanitize_columns(:white_list) |
| 96 | 82 | columns.each do |column| |
| 97 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :white_list) | |
| 83 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 98 | 84 | end |
| 99 | 85 | end |
| 100 | 86 | |
| ... | ... | @@ -102,38 +88,8 @@ module XssTerminate |
| 102 | 88 | sanitizer = HTML5libSanitize.new |
| 103 | 89 | columns = sanitize_columns(:html5lib) |
| 104 | 90 | columns.each do |column| |
| 105 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :html5lib) | |
| 106 | - end | |
| 107 | - end | |
| 108 | - | |
| 109 | - def wellformed_html_code?(field) | |
| 110 | - return true if !field | |
| 111 | - counter = 0 | |
| 112 | - in_comment = false | |
| 113 | - field=field.split(//) | |
| 114 | - for i in 0..field.length-1 | |
| 115 | - if !in_comment | |
| 116 | - if field[i] == '<' | |
| 117 | - if field[i+1..i+3] == ["!","-","-"] | |
| 118 | - in_comment = true | |
| 119 | - else | |
| 120 | - counter += 1 | |
| 121 | - end | |
| 122 | - elsif field[i] == '>' | |
| 123 | - counter -= 1 | |
| 124 | - end | |
| 125 | - else | |
| 126 | - if field[i-2..i] == ["-","-",">"] | |
| 127 | - in_comment = false | |
| 128 | - end | |
| 129 | - end | |
| 130 | - | |
| 131 | - if counter < 0 || 1 < counter | |
| 132 | - return false | |
| 133 | - end | |
| 91 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 134 | 92 | end |
| 135 | - | |
| 136 | - return counter == 0 | |
| 137 | 93 | end |
| 138 | 94 | |
| 139 | 95 | end | ... | ... |