diff --git a/app/controllers/my_profile/cms_controller.rb b/app/controllers/my_profile/cms_controller.rb
index 11c715a..413d7dc 100644
--- a/app/controllers/my_profile/cms_controller.rb
+++ b/app/controllers/my_profile/cms_controller.rb
@@ -108,7 +108,7 @@ class CmsController < MyProfileController
end
def new
- # FIXME this method should share some logic wirh edit !!!
+ # FIXME this method should share some logic with edit !!!
@success_back_to = params[:success_back_to]
# user must choose an article type first
@@ -370,7 +370,7 @@ class CmsController < MyProfileController
def search
query = params[:q]
results = find_by_contents(:uploaded_files, profile, profile.files.published, query)[:results]
- render :text => article_list_to_json(results), :content_type => 'application/json'
+ render :text => article_list_to_json(results).html_safe, :content_type => 'application/json'
end
def search_article_privacy_exceptions
diff --git a/app/controllers/my_profile/profile_editor_controller.rb b/app/controllers/my_profile/profile_editor_controller.rb
index 46b2c0c..6d57308 100644
--- a/app/controllers/my_profile/profile_editor_controller.rb
+++ b/app/controllers/my_profile/profile_editor_controller.rb
@@ -28,6 +28,7 @@ class ProfileEditorController < MyProfileController
Image.transaction do
begin
@plugins.dispatch(:profile_editor_transaction_extras)
+ # TODO: This is unsafe! Add sanitizer
@profile_data.update!(params[:profile_data])
redirect_to :action => 'index', :profile => profile.identifier
rescue Exception => ex
diff --git a/app/controllers/public/home_controller.rb b/app/controllers/public/home_controller.rb
index 615bb8d..166158f 100644
--- a/app/controllers/public/home_controller.rb
+++ b/app/controllers/public/home_controller.rb
@@ -11,7 +11,7 @@ class HomeController < PublicController
@portal_news = portal_community.news(environment.portal_news_amount, true).offset(environment.highlighted_news_amount)
@area_news = environment.portal_folders
end
- end
+ end
end
def terms
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 88898c9..6ad0184 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -91,7 +91,6 @@ module ApplicationHelper
#
# TODO: implement correcly the 'Help' button click
def help(content = nil, link_name = nil, options = {}, &block)
-
link_name ||= _('Help')
@help_message_id ||= 1
@@ -114,7 +113,7 @@ module ApplicationHelper
button = link_to_function(content_tag('span', link_name), "Element.show('#{help_id}')", options )
close_button = content_tag("div", link_to_function(_("Close"), "Element.hide('#{help_id}')", :class => 'close_help_button'))
- text = content_tag('div', button + content_tag('div', content_tag('div', content) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
+ text = content_tag('div', button + content_tag('div', content_tag('div', content.html_safe) + close_button, :class => 'help_message', :id => help_id, :style => 'display: none;'), :class => 'help_box')
unless block.nil?
concat(text)
@@ -231,9 +230,9 @@ module ApplicationHelper
end
the_title = html_options[:title] || label
if html_options[:disabled]
- content_tag('a', ' '+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
+ content_tag('a', ' '.html_safe+content_tag('span', label), html_options.merge(:class => the_class, :title => the_title))
else
- link_to(' '+content_tag('span', label), url, html_options.merge(:class => the_class, :title => the_title))
+ link_to(' '.html_safe+content_tag('span', label), url_for(url).html_safe, html_options.merge(:class => the_class, :title => the_title))
end
end
@@ -583,8 +582,8 @@ module ApplicationHelper
def popover_menu(title,menu_title,links,html_options={})
html_options[:class] = "" unless html_options[:class]
html_options[:class] << " menu-submenu-trigger"
- html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
+ html_options[:onclick] = "toggleSubmenu(this, '#{menu_title}', #{CGI::escapeHTML(links.to_json)}); return false"
link_to(content_tag(:span, title), '#', html_options)
end
@@ -836,7 +835,7 @@ module ApplicationHelper
end
else
if profile.active_fields.include?(name)
- result = content_tag('div', field_html + profile_field_privacy_selector(profile, name), :class => 'field-with-privacy-selector')
+ result = content_tag('div', field_html + profile_field_privacy_selector(profile, name), :class => 'field-with-privacy-selector-R1')
end
end
@@ -1140,7 +1139,8 @@ module ApplicationHelper
end
def admin_link
- user.is_admin?(environment) ? link_to('' + _('Administration') + '', environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
+ admin_icon = '' + _('Administration') + ''
+ user.is_admin?(environment) ? link_to(admin_icon.html_safe, environment.admin_url, :title => _("Configure the environment"), :class => 'admin-link') : ''
end
def usermenu_logged_in
@@ -1149,15 +1149,19 @@ module ApplicationHelper
if count > 0
pending_tasks_count = link_to(count.to_s, user.tasks_url, :id => 'pending-tasks-count', :title => _("Manage your pending tasks"))
end
-
- (_("Welcome, %s") % link_to("#{user.identifier}", user.url, :id => "homepage-link", :title => _('Go to your homepage'))) +
- render_environment_features(:usermenu) +
- admin_link +
- manage_enterprises +
- manage_communities +
- link_to('' + _('Control panel') + '', user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content")) +
- pending_tasks_count +
- link_to('' + _('Logout') + '', { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+ user_identifier = "#{user.identifier}"
+ welcome_link = link_to(user_identifier.html_safe, user.public_profile_url, :id => "homepage-link", :title => _('Go to your homepage'))
+ welcome_span = _("Welcome, %s") % welcome_link.html_safe
+ ctrl_panel_icon = ''
+ ctrl_panel_section = '' + ctrl_panel_icon + _('Control panel') + ''
+ ctrl_panel_link = link_to(ctrl_panel_section.html_safe, user.admin_url, :class => 'ctrl-panel', :title => _("Configure your personal account and content"))
+ logout_icon = '' + _('Logout') + ''
+ logout_link = link_to(logout_icon.html_safe, { :controller => 'account', :action => 'logout'} , :id => "logout", :title => _("Leave the system"))
+ join_result = safe_join(
+ [welcome_span.html_safe, render_environment_features(:usermenu).html_safe, admin_link.html_safe,
+ manage_enterprises.html_safe, manage_communities.html_safe, ctrl_panel_link.html_safe,
+ pending_tasks_count.html_safe, logout_link.html_safe], "")
+ join_result
end
def usermenu_notlogged_in
@@ -1272,8 +1276,8 @@ module ApplicationHelper
end
def render_tabs(tabs)
- titles = tabs.inject(''){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
- contents = tabs.inject(''){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
+ titles = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:li, link_to(tab[:title], '#'+tab[:id]), :class => 'tab') }
+ contents = tabs.inject(''.html_safe){ |result, tab| result << content_tag(:div, tab[:content], :id => tab[:id]) }
content_tag(:div, content_tag(:ul, titles) + raw(contents), :class => 'ui-tabs')
end
@@ -1291,7 +1295,7 @@ module ApplicationHelper
def expirable_link_to(expired, content, url, options = {})
if expired
options[:class] = (options[:class] || '') + ' disabled'
- content_tag('a', ' '+content_tag('span', content), options)
+ content_tag('a', ' '.html_safe+content_tag('span', content), options)
else
if options[:modal]
options.delete(:modal)
@@ -1387,7 +1391,8 @@ module ApplicationHelper
# are old things that do not support it we are keeping this hot spot.
html = @plugins.pipeline(:parse_content, html, source).first
end
- html && html.html_safe
+
+ html.html_safe && html
end
def convert_macro(html, source)
diff --git a/app/helpers/article_helper.rb b/app/helpers/article_helper.rb
index a55c553..5e4e93a 100644
--- a/app/helpers/article_helper.rb
+++ b/app/helpers/article_helper.rb
@@ -10,52 +10,61 @@ module ArticleHelper
def custom_options_for_article(article, tokenized_children)
@article = article
-
- visibility_options(@article, tokenized_children) +
- topic_creation(@article) +
- content_tag('h4', _('Options')) +
- content_tag('div',
- (article.profile.has_members? ?
+ opts = visibility_options(@article, tokenized_children)
+ ret = opts
+ ret << content_tag('h4', _('Options'))
+ inner = "".html_safe
+ inner << (article.profile.has_members? ?
content_tag(
'div',
check_box(:article, :allow_members_to_edit) +
content_tag('label', _('Allow all members to edit this article'), :for => 'article_allow_members_to_edit')
) :
- '') +
-
+ '')
+ inner <<
+ (article.parent && article.parent.forum? && controller.action_name == 'new' ?
+ hidden_field_tag('article[accept_comments]', 1) :
content_tag(
'div',
check_box(:article, :accept_comments) +
content_tag('label', (article.parent && article.parent.forum? ? _('This topic is opened for replies') : _('I want to receive comments about this article')), :for => 'article_accept_comments')
- ) +
-
+ ))
+ inner <<
content_tag(
'div',
check_box(:article, :notify_comments) +
content_tag('label', _('I want to receive a notification of each comment written by e-mail'), :for => 'article_notify_comments') +
observe_field(:article_accept_comments, :function => "jQuery('#article_notify_comments')[0].disabled = ! jQuery('#article_accept_comments')[0].checked;jQuery('#article_moderate_comments')[0].disabled = ! jQuery('#article_accept_comments')[0].checked")
- ) +
-
+ )
+ inner <<
content_tag(
'div',
check_box(:article, :moderate_comments) +
content_tag('label', _('I want to approve comments on this article'), :for => 'article_moderate_comments')
- ) +
-
+ )
+ inner <<
(article.can_display_hits? ?
content_tag(
'div',
check_box(:article, :display_hits) +
content_tag('label', _('I want this article to display the number of hits it received'), :for => 'article_display_hits')
- ) : '') +
-
+ ) : '')
+ inner <<
(article.can_display_versions? ?
content_tag(
'div',
check_box(:article, :display_versions) +
content_tag('label', _('I want this article to display a link to older versions'), :for => 'article_display_versions')
) : '')
- )
+ inner <<
+ (article.forum? && article.profile.community? ?
+ content_tag(
+ 'div',
+ check_box(:article, :allows_members_to_create_topics) +
+ content_tag('label', _('Allow members to create topics'), :for => 'article_allows_members_to_create_topics')
+ ) : '')
+ ret << content_tag('div', inner)
+ ret
end
def visibility_options(article, tokenized_children)
@@ -107,7 +116,7 @@ module ArticleHelper
def add_option_to_followers(article, tokenized_children)
label_message = article.profile.organization? ? _('Allow all community members to view this content') : _('Allow all your friends to view this content')
- check_box(
+ ret = check_box(
:article,
:show_to_followers,
{:class => "custom_privacy_option"}
@@ -137,6 +146,7 @@ module ArticleHelper
}
)
) : '')
+ ret
end
def prepare_to_token_input(array)
diff --git a/app/helpers/block_helper.rb b/app/helpers/block_helper.rb
index 819400c..ede3606 100644
--- a/app/helpers/block_helper.rb
+++ b/app/helpers/block_helper.rb
@@ -1,7 +1,7 @@
module BlockHelper
def block_title(title)
- tag_class = 'block-title'
+ tag_class = 'block-title'.html_safe
tag_class += ' empty' if title.empty?
content_tag 'h3', content_tag('span', h(title)), :class => tag_class
end
diff --git a/app/helpers/blog_helper.rb b/app/helpers/blog_helper.rb
index 7fedf87..9d27ec4 100644
--- a/app/helpers/blog_helper.rb
+++ b/app/helpers/blog_helper.rb
@@ -46,7 +46,7 @@ module BlogHelper
end
end)
}
- content.join("\n
\n") + (pagination or '')
+ safe_join(content, "\n
\n") + (pagination or '').html_safe
end
def display_post(article, format = 'full')
@@ -61,7 +61,8 @@ module BlogHelper
else
''
end
- end.to_s + title + html
+ end.to_s.html_safe +
+ title.html_safe + html
end
def display_compact_format(article)
diff --git a/app/helpers/boxes_helper.rb b/app/helpers/boxes_helper.rb
index 2a60bc0..fd20c37 100644
--- a/app/helpers/boxes_helper.rb
+++ b/app/helpers/boxes_helper.rb
@@ -44,7 +44,7 @@ module BoxesHelper
def display_boxes(holder, main_content)
boxes = holder.boxes.with_position.first(boxes_limit(holder))
- content = boxes.reverse.map { |item| display_box(item, main_content) }.join("\n")
+ content = safe_join(boxes.reverse.map { |item| display_box(item, main_content) }, "\n")
content = main_content if (content.blank?)
content_tag('div', content, :class => 'boxes', :id => 'boxes' )
@@ -54,7 +54,7 @@ module BoxesHelper
if holder.respond_to?(element)
content_tag('div', holder.send(element), options)
else
- ''
+ ''.html_safe
end
end
@@ -70,9 +70,10 @@ module BoxesHelper
def display_box_content(box, main_content)
context = { :article => @page, :request_path => request.path, :locale => locale, :params => request.params, :user => user, :controller => controller }
- box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
+ blocks = box_decorator.select_blocks(box, box.blocks.includes(:box), context).map do |item|
display_block item, main_content
- end.join("\n") + box_decorator.block_target(box)
+ end
+ safe_join(blocks, "\n") + box_decorator.block_target(box)
end
def select_blocks box, arr, context
@@ -88,7 +89,13 @@ module BoxesHelper
end
def display_block_content(block, person, main_content = nil)
- content = block.main? ? wrap_main_content(main_content) : block.content({:person => person})
+ if block.main? then
+ content = wrap_main_content(main_content)
+ else
+ content = block.content({:person => person})
+ end
+ #content = block.main? ? wrap_main_content(main_content) : block.content({:person => person})
+
result = extract_block_content(content)
footer_content = extract_block_content(block.footer)
unless footer_content.blank?
@@ -108,17 +115,18 @@ module BoxesHelper
result = filter_html(result, block)
- content_tag('div',
- box_decorator.block_target(block.box, block) +
- content_tag('div',
- content_tag('div',
- content_tag('div',
- result + footer_content + box_decorator.block_edit_buttons(block),
- :class => 'block-inner-2'),
- :class => 'block-inner-1'),
- options),
- :class => 'block-outer') +
- box_decorator.block_handle(block)
+ join_result = safe_join([result, footer_content, box_decorator.block_edit_buttons(block)])
+ content_tag_inner_1 = content_tag('div', join_result, :class => 'block-inner-2')
+
+ content_tag_inner_2 = content_tag('div', content_tag_inner_1, :class => 'block-inner-1')
+ content_tag_inner_3 = content_tag('div', content_tag_inner_2, options)
+ content_tag_inner_4 = box_decorator.block_target(block.box, block) + content_tag_inner_3
+ c = content_tag('div', content_tag_inner_4, :class => 'block-outer')
+ box_decorator_result = box_decorator.block_handle(block)
+ result_final = safe_join([c, box_decorator_result], "")
+
+
+ return result_final
end
def wrap_main_content(content)
@@ -128,17 +136,17 @@ module BoxesHelper
def extract_block_content(content)
case content
when Hash
- content_tag('iframe', '', :src => url_for(content))
+ content_tag('iframe', ''.html_safe, :src => url_for(content))
when String
if content.split("\n").size == 1 and content =~ /^https?:\/\//
- content_tag('iframe', '', :src => content)
+ content_tag('iframe', ''.html_safe, :src => content)
else
content
end
when Proc
self.instance_eval(&content)
when NilClass
- ''
+ ''.html_safe
else
raise "Unsupported content for block (#{content.class})"
end
@@ -147,14 +155,14 @@ module BoxesHelper
module DontMoveBlocks
# does nothing
def self.block_target(box, block = nil)
- ''
+ ''.html_safe
end
# does nothing
def self.block_handle(block)
- ''
+ ''.html_safe
end
def self.block_edit_buttons(block)
- ''
+ ''.html_safe
end
def self.select_blocks box, arr, context
arr = arr.select{ |block| block.visible? context }
@@ -201,9 +209,9 @@ module BoxesHelper
# makes the given block draggable so it can be moved away.
def block_handle(block)
return "" unless movable?(block)
- icon = "#{display_icon(block.class)}
#{_(block.class.pretty_name)}#{display_icon(block.class)}
#{_(block.class.pretty_name)}
\n" ).
gsub( /\r/, "\n" ).
gsub( /(^|\s)(www\.[^\s]+|https?:\/\/[^\s]+)/ ) do
pre_char, href = $1, $2
href = 'http://'+href if ! href.match /^https?:/
- content = href.gsub(/^https?:\/\//, '').scan(/.{1,4}/).join('')
+ content = safe_join(href.gsub(/^https?:\/\//, '').scan(/.{1,4}/), ''.html_safe)
pre_char +
content_tag(:a, content, :href => href, :target => '_blank',
:rel => 'nofolow', :onclick => "return confirm('%s')" %
_('Are you sure you want to visit this web site?'))
end
+ ret.html_safe
end
end
diff --git a/app/helpers/events_helper.rb b/app/helpers/events_helper.rb
index 7c89e47..fc0b882 100644
--- a/app/helpers/events_helper.rb
+++ b/app/helpers/events_helper.rb
@@ -3,11 +3,13 @@ module EventsHelper
include DatesHelper
def list_events(date, events)
title = _('Events for %s') % show_date_month(date)
+ user_events = events.select { |item| item.display_to?(user) }
+ events_for_month = safe_join(user_events.map {|item| display_event_in_listing(item)}, '')
content_tag('h2', title) +
content_tag('div',
(events.any? ?
- content_tag('table', events.select { |item| item.display_to?(user) }.map {|item| display_event_in_listing(item)}.join('')) :
- content_tag('em', _('No events for this month'), :class => 'no-events')
+ content_tag('table', events_for_month) :
+ content_tag('em', _('No events for this month'), :class => 'no-events')
), :id => 'agenda-items'
)
end
diff --git a/app/helpers/forms_helper.rb b/app/helpers/forms_helper.rb
index 7f04574..d1c4925 100644
--- a/app/helpers/forms_helper.rb
+++ b/app/helpers/forms_helper.rb
@@ -111,10 +111,11 @@ module FormsHelper
options_for_select = container.inject([]) do |options, element|
text, value = option_text_and_value(element)
selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
- options << %()
+ opt = %()
+ options << opt.html_safe
end
- options_for_select.join("\n")
+ safe_join(options_for_select, "\n")
end
def balanced_table(items, per_row=3)
diff --git a/app/helpers/forum_helper.rb b/app/helpers/forum_helper.rb
index a2ff7d9..619185f 100644
--- a/app/helpers/forum_helper.rb
+++ b/app/helpers/forum_helper.rb
@@ -35,7 +35,7 @@ module ForumHelper
:id => "post-#{art.id}"
)
}
- content_tag('table', content.join) + (pagination or '')
+ content_tag('table', safe_join(content, "")) + (pagination or '').html_safe
end
def last_topic_update(article)
diff --git a/app/helpers/manage_products_helper.rb b/app/helpers/manage_products_helper.rb
index 6e05369..4a6ed93 100644
--- a/app/helpers/manage_products_helper.rb
+++ b/app/helpers/manage_products_helper.rb
@@ -38,10 +38,11 @@ module ManageProductsHelper
end
def options_for_select_categories(categories, selected = nil)
- categories.sort_by{|cat| cat.name.transliterate}.map do |category|
- selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
- ""
- end.join("\n")
+ safe_join(categories.sort_by{ |cat|
+ cat.name.transliterate}.map do |category|
+ selected_attribute = selected.nil? ? '' : (category == selected ? "selected='selected'" : '')
+ "".html_safe
+ end, "\n")
end
def build_selects_for_ancestors(ancestors, current_category)
@@ -76,10 +77,13 @@ module ManageProductsHelper
def categories_container(categories_selection_html, hierarchy_html = '')
content_tag 'div',
- render('categories_autocomplete') +
- hidden_field_tag('selected_category_id') +
- content_tag('div', hierarchy_html, :id => 'hierarchy_navigation') +
- content_tag('div', categories_selection_html, :id => 'categories_container_wrapper'),
+ safe_join(
+ [
+ render('categories_autocomplete'),
+ hidden_field_tag('selected_category_id'),
+ content_tag('div', hierarchy_html, :id => 'hierarchy_navigation'),
+ content_tag('div', categories_selection_html, :id => 'categories_container_wrapper')
+ ], ''),
:id => 'categories-container'
end
diff --git a/app/helpers/profile_editor_helper.rb b/app/helpers/profile_editor_helper.rb
index 30f4f35..ec7dab9 100644
--- a/app/helpers/profile_editor_helper.rb
+++ b/app/helpers/profile_editor_helper.rb
@@ -129,7 +129,11 @@ module ProfileEditorHelper
else
domains = environment.domains
end
- labelled_form_field(_('Preferred domain name:'), select(object, :preferred_domain_id, domains.map {|item| [item.name, item.id]}, :prompt => '<' + _('Select domain') + '>'))
+ select_domain_prompt = '<'.html_safe + _('Select domain').html_safe + '>'.html_safe
+ select_field = select(object, :preferred_domain_id, domains.map {
+ |item| [item.name, item.id]}, :prompt => select_domain_prompt.html_safe)
+
+ labelled_form_field(_('Preferred domain name:'), select_field)
end
def control_panel(&block)
diff --git a/app/helpers/search_helper.rb b/app/helpers/search_helper.rb
index 219678b..6b55890 100644
--- a/app/helpers/search_helper.rb
+++ b/app/helpers/search_helper.rb
@@ -124,10 +124,10 @@ module SearchHelper
def filters(asset)
return if !asset
klass = asset_class(asset)
- content_tag('div', klass::SEARCH_FILTERS.map do |name, options|
+ content_tag('div', safe_join(klass::SEARCH_FILTERS.map do |name, options|
default = klass.respond_to?("default_search_#{name}") ? klass.send("default_search_#{name}".to_s) : nil
select_filter(name, options, default)
- end.join("\n"), :id => 'search-filters')
+ end, "\n"), :id => 'search-filters')
end
def assets_menu(selected)
@@ -137,11 +137,11 @@ module SearchHelper
# menu.
assets.delete(:events)
content_tag('ul',
- assets.map do |asset|
+ safe_join(assets.map do |asset|
options = {}
options.merge!(:class => 'selected') if selected.to_s == asset.to_s
content_tag('li', asset_link(asset), options)
- end.join("\n"),
+ end, "\n"),
:id => 'assets-menu')
end
diff --git a/app/models/blog_archives_block.rb b/app/models/blog_archives_block.rb
index d36ddad..89bab8d 100644
--- a/app/models/blog_archives_block.rb
+++ b/app/models/blog_archives_block.rb
@@ -40,6 +40,7 @@ class BlogArchivesBlock < Block
end
results << ""
end
+ results.html_safe
block_title(title) +
content_tag('ul', results, :class => 'blog-archives') +
content_tag('div', link_to(_('Subscribe RSS Feed'), owner_blog.feed.url), :class => 'subscribe-feed')
diff --git a/app/models/link_list_block.rb b/app/models/link_list_block.rb
index 874c52e..21f5145 100644
--- a/app/models/link_list_block.rb
+++ b/app/models/link_list_block.rb
@@ -60,17 +60,20 @@ class LinkListBlock < Block
end
def content(args={})
- block_title(title) +
- content_tag('ul',
- links.select{|i| !i[:name].blank? and !i[:address].blank?}.map{|i| content_tag('li', link_html(i))}.join
- )
+ ret = "".html_safe
+ ret = ret + block_title(title)
+ selected_links = links.select{ |i| !i[:name].blank? and !i[:address].blank? }
+ ret_links = selected_links.map { |i| content_tag('li', link_html(i).html_safe) }
+ inner_join = ret_links.join.html_safe
+ return ret + content_tag('ul', inner_join)
end
def link_html(link)
klass = 'icon-' + link[:icon] if link[:icon]
- sanitize_link(
+ sanitized_link = sanitize_link(
link_to(link[:name], expand_address(link[:address]), :target => link[:target], :class => klass, :title => link[:title])
)
+ return sanitized_link
end
def expand_address(address)
diff --git a/app/models/products_block.rb b/app/models/products_block.rb
index 3e1ad06..8c15df0 100644
--- a/app/models/products_block.rb
+++ b/app/models/products_block.rb
@@ -20,19 +20,17 @@ class ProductsBlock < Block
end
def content(args={})
- block_title(title) +
- content_tag(
- 'ul',
- products.map {|product|
- content_tag('li',
- link_to( product.name,
- product.url,
- :style => 'background-image:url(%s)' % product.default_image('minor')
- ),
- :class => 'product'
+ product_title = block_title(title).html_safe
+ products_map = products.map { |product|
+ product_link = link_to(
+ product.name,
+ product.url,
+ :style => 'background-image:url(%s)' % product.default_image('minor')
)
- }.join
- )
+ content_tag('li', product_link.html_safe, :class => 'product')
+ }
+ products_map_join = products_map.join.html_safe
+ product_title.html_safe + content_tag('ul', products_map_join)
end
def footer
diff --git a/app/models/profile_list_block.rb b/app/models/profile_list_block.rb
index fc8ea89..4faa57d 100644
--- a/app/models/profile_list_block.rb
+++ b/app/models/profile_list_block.rb
@@ -42,14 +42,14 @@ result = public_profiles.all(:limit => get_limit, :order => 'profiles.updated_at
def content(args={})
profiles = self.profile_list
- title = self.view_title
- nl = "\n"
+ title = self.view_title.html_safe
+ nl = "\n".html_safe
proc do |context|
count=0
- list = profiles.map {|item|
+ list = safe_join(profiles.map {|item|
count+=1
send(:profile_image_link, item, :minor )
- }.join("\n ")
+ }, "\n ")
if list.empty?
list = content_tag 'div', _('None'), :class => 'common-profile-list-block-none'
else
diff --git a/app/models/recent_documents_block.rb b/app/models/recent_documents_block.rb
index 5749e88..40e49d8 100644
--- a/app/models/recent_documents_block.rb
+++ b/app/models/recent_documents_block.rb
@@ -26,8 +26,12 @@ class RecentDocumentsBlock < Block
docs = self.docs
title = self.title
proc do
- block_title(title) +
- content_tag('ul', docs.map {|item| content_tag('li', link_to(h(item.title), item.url))}.join("\n"))
+ docsmap = safe_join(docs.map { |item|
+ content_tag('li',
+ link_to( h(item.title), item.url)
+ )
+ }, "\n")
+ block_title(title) + content_tag('ul', docsmap)
end
end
diff --git a/app/models/tags_block.rb b/app/models/tags_block.rb
index 9a94712..7487921 100644
--- a/app/models/tags_block.rb
+++ b/app/models/tags_block.rb
@@ -43,10 +43,10 @@ class TagsBlock < Block
owner.public_profile_url.merge(:controller => 'profile', :action => 'content_tagged')
tagname_option = is_env ? :tag : :id
- block_title(title) +
+ (block_title(title) +
"\n\n".html_safe+
tag_cloud( tags, tagname_option, url, :max_size => 16, :min_size => 9 ) +
- "\n
\n".html_safe
+ "\n\n").html_safe
end
def footer
diff --git a/app/views/account/_signup_form.html.erb b/app/views/account/_signup_form.html.erb
index 49c08d1..310f616 100644
--- a/app/views/account/_signup_form.html.erb
+++ b/app/views/account/_signup_form.html.erb
@@ -107,7 +107,7 @@
<%= render :partial => 'profile_editor/person_form', :locals => {:f => f} %>
<% end %>
- <%= @plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+ <%= safe_join(@plugins.dispatch(:signup_extra_contents).collect { |content| instance_eval(&content) }, "") %>
<%= template_options(:people, 'profile_data') %>
diff --git a/app/views/account/login.html.erb b/app/views/account/login.html.erb
index 5f978c5..42fc127 100644
--- a/app/views/account/login.html.erb
+++ b/app/views/account/login.html.erb
@@ -20,7 +20,7 @@
- <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }.join("") %>
+ <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_exec(&content) }, "") %>
<% button_bar do %>
<%= submit_button( 'login', _('Log in') )%>
diff --git a/app/views/account/login_block.html.erb b/app/views/account/login_block.html.erb
index 85ecf78..8298c96 100644
--- a/app/views/account/login_block.html.erb
+++ b/app/views/account/login_block.html.erb
@@ -15,7 +15,7 @@
<%= f.password_field :password %>
- <%= @plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }.join("") %>
+ <%= safe_join(@plugins.dispatch(:login_extra_contents).collect { |content| instance_eval(&content) }, "") %>
<% button_bar do %>
<%= submit_button( 'login', _('Log in') )%>
diff --git a/app/views/blocks/login_block.html.erb b/app/views/blocks/login_block.html.erb
index ed8e1e1..29a8c3e 100644
--- a/app/views/blocks/login_block.html.erb
+++ b/app/views/blocks/login_block.html.erb
@@ -3,7 +3,7 @@
<%= _('Logged in as %s') % user.identifier %>
- <%= _('User since %s/%s') % [user.created_at.month, user.created_at.year] %>
- - <%= link_to _('Homepage'), user.public_profile_url %>
+ - <%= link_to _('Homepage'), url_for(user.public_profile_url) %>
<%= button(:'menu-logout', _('Logout'), :controller => 'account', :action => 'logout') %>
diff --git a/app/views/box_organizer/_article_block.html.erb b/app/views/box_organizer/_article_block.html.erb
index 90b4e29..eecbd36 100644
--- a/app/views/box_organizer/_article_block.html.erb
+++ b/app/views/box_organizer/_article_block.html.erb
@@ -9,7 +9,8 @@
first_text = articles[articles.find_index{|a| a.kind_of? TextArticle}||-1]
selected = @block.article || first_text
%>
- <%= select_tag(
+ <%=
+ select_tag(
'block[article_id]',
options_for_select_with_title(articles.map {|item| [item.path, item.id]}, selected.id),
:onchange => 'this.changedTo(this.value)'
diff --git a/app/views/catalog/index.html.erb b/app/views/catalog/index.html.erb
index 7525479..f22a3e8 100644
--- a/app/views/catalog/index.html.erb
+++ b/app/views/catalog/index.html.erb
@@ -35,7 +35,7 @@
<% else %>
<%= _('No image') %>
<% end %>
-
+
<%= link_to_product product %>
diff --git a/app/views/cms/select_article_type.html.erb b/app/views/cms/select_article_type.html.erb
index 23a78c4..8e888dc 100644
--- a/app/views/cms/select_article_type.html.erb
+++ b/app/views/cms/select_article_type.html.erb
@@ -5,7 +5,7 @@
<% for type in @article_types %>
<% action = type[:class].name == 'UploadedFile' ? {:action => 'upload_files'} : {:action => 'new', :type => type[:class].name} %>
- <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to))) do %>
+ <%= content_tag('a', :href => url_for(action.merge(:parent_id => @parent_id, :back_to => @back_to)).html_safe) do %>
-
<%= type[:short_description] %>
<%= type[:description] %>
diff --git a/app/views/cms/upload_files.html.erb b/app/views/cms/upload_files.html.erb
index c90acfc..a953c8a 100644
--- a/app/views/cms/upload_files.html.erb
+++ b/app/views/cms/upload_files.html.erb
@@ -17,11 +17,11 @@
<%= _("Select the files you want to upload (max size %s):") % UploadedFile.max_size.to_humanreadable %>
<%= _('Documents, Images, Videos, Audio') %>
-<%= _('Uploading files to %s') % content_tag('code', @target) %>
+<%= (_('Uploading files to %s') % content_tag('code', @target)).html_safe%>
<%= form_for('uploaded_file', :url => { :action => 'upload_files' }, :html => {:multipart => true}) do |f| %>
- <%= @plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }.join("") %>
+ <%= safe_join(@plugins.dispatch(:upload_files_extra_fields, params[:parent_id]).collect { |content| instance_exec(&content) }, "") %>
<%= render :partial => 'upload_file_form', :locals => { :size => '45'} %>
diff --git a/app/views/cms/view.html.erb b/app/views/cms/view.html.erb
index 3dd78a3..03fd435 100644
--- a/app/views/cms/view.html.erb
+++ b/app/views/cms/view.html.erb
@@ -26,7 +26,7 @@
<%= _('Current folder: ') %>
<%= link_to profile.identifier, :action => 'index' %>
<% @article.hierarchy.each do |item| %>
- <%= " / " + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
+ <%= " / ".html_safe + ((item == @article) ? item.name.html_safe : link_to(item.slug, :id => item.id).html_safe) %>
<% end %>
|
<% if @article.parent %>
- <%= link_to '.. (' + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
+ <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'view', :id => @article.parent.id}, :class => 'icon-parent-folder' %>
<% else %>
- <%= link_to '.. (' + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
+ <%= link_to '.. ('.html_safe + _('parent folder') + ')', {:action => 'index'}, :class => 'icon-parent-folder' %>
<% end %>
|
<%= Folder.short_description %> |
diff --git a/app/views/comment/_comment.html.erb b/app/views/comment/_comment.html.erb
index 4e7aba4..58cd200 100644
--- a/app/views/comment/_comment.html.erb
+++ b/app/views/comment/_comment.html.erb
@@ -43,7 +43,7 @@
<%= txt2html comment.body %>
- <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
+ <%= safe_join(@plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }, "") %>
diff --git a/app/views/content_viewer/versions_diff.html.erb b/app/views/content_viewer/versions_diff.html.erb
index cd3402a..eb81552 100644
--- a/app/views/content_viewer/versions_diff.html.erb
+++ b/app/views/content_viewer/versions_diff.html.erb
@@ -2,9 +2,9 @@
<%= button(:back, _('Back to the versions'), {:action => 'article_versions'}) %>
-<%= _('Changes on "%s"') % @page.title %>
+<%= _('Changes on "%s"').html_safe % @page.title %>
- <%= _('Changes from %s → %s') % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %>
+ <%= _('Changes from %s → %s').html_safe % [show_time(@v1.updated_at), show_time(@v2.updated_at)] %>
<% diffContent = Diffy::Diff.new(@v1.body, @v2.body, :context => 1) %>
<% if diffContent.to_s(:text).blank? %>
@@ -12,5 +12,5 @@
<%= _('These versions range have no differences.')%>
<% else %>
- <%= diffContent.to_s(:html) %>
+ <%= diffContent.to_s(:html).html_safe %>
<% end %>
diff --git a/app/views/content_viewer/view_page.html.erb b/app/views/content_viewer/view_page.html.erb
index 82cd4fc..c703ced 100644
--- a/app/views/content_viewer/view_page.html.erb
+++ b/app/views/content_viewer/view_page.html.erb
@@ -45,20 +45,20 @@
<% if ! @page.categories.empty? %>
<%= _('Categories') %>
- <%= @page.categories.map {|item| link_to_category(item, false) }.join(", ") %>
+ <%= safe_join(@page.categories.map {|item| link_to_category(item, false) }, ", ") %>
<% end %>
<% if !@page.tags.empty? %>
- <%= _("This article's tags:") %>
- <%= @page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }.join("\n") %>
+ <%= _("This article's tags:").html_safe %>
+ <%= safe_join(@page.tags.map { |t| link_to(t, :controller => 'profile', :profile => @profile.identifier, :action => 'tags', :id => t.name ) }, "\n") %>
<% end %>
<%= display_source_info(@page) %>
-<%= @plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }.join("") %>
+<%= safe_join(@plugins.dispatch(:article_extra_contents, @page).collect { |content| instance_exec(&content) }, "") %>
<% if @page.accept_comments? || @comments_count > 0 %>
\n") %> + ], "\n
\n") %> "} + lambda {"".html_safe} end end class TestHeadEnding2Plugin < Noosfero::Plugin def head_ending - "" + "".html_safe end end diff --git a/test/functional/catalog_controller_test.rb b/test/functional/catalog_controller_test.rb index 14370f5..c26df57 100644 --- a/test/functional/catalog_controller_test.rb +++ b/test/functional/catalog_controller_test.rb @@ -71,13 +71,13 @@ class CatalogControllerTest < ActionController::TestCase should 'include extra content supplied by plugins on catalog item extras' do class Plugin1 < Noosfero::Plugin def catalog_item_extras(product) - proc {"This is Plugin1 speaking!"} + proc {"This is Plugin1 speaking!".html_safe} end end class Plugin2 < Noosfero::Plugin def catalog_item_extras(product) - proc {"This is Plugin2 speaking!"} + proc {"This is Plugin2 speaking!".html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name]) diff --git a/test/functional/enterprise_registration_controller_test.rb b/test/functional/enterprise_registration_controller_test.rb index 30767ac..a91d148 100644 --- a/test/functional/enterprise_registration_controller_test.rb +++ b/test/functional/enterprise_registration_controller_test.rb @@ -191,13 +191,13 @@ class EnterpriseRegistrationControllerTest < ActionController::TestCase should 'include hidden fields supplied by plugins on enterprise registration' do class Plugin1 < Noosfero::Plugin def enterprise_registration_hidden_fields - {'plugin1' => 'Plugin 1'} + {'plugin1' => 'Plugin 1'.html_safe} end end class Plugin2 < Noosfero::Plugin def enterprise_registration_hidden_fields - {'plugin2' => 'Plugin 2'} + {'plugin2' => 'Plugin 2'.html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name]) diff --git a/test/functional/events_controller_test.rb b/test/functional/events_controller_test.rb index e45b3bf..553f4b4 100644 --- a/test/functional/events_controller_test.rb +++ b/test/functional/events_controller_test.rb @@ -13,7 +13,7 @@ class EventsControllerTest < ActionController::TestCase get :events, :profile => profile.identifier - today = DateTime.now.strftime("%B %d, %Y") + today = DateTime.now.strftime("%B %d, %Y").html_safe assert_tag :tag => 'div', :attributes => {:id => "agenda-items"}, :descendant => {:tag => 'h3', :content => "Events for #{today}"}, :descendant => {:tag => 'tr', :content => "Joao Birthday"}, diff --git a/test/functional/friends_controller_test.rb b/test/functional/friends_controller_test.rb index 2391eca..7d77b5f 100644 --- a/test/functional/friends_controller_test.rb +++ b/test/functional/friends_controller_test.rb @@ -43,7 +43,7 @@ class FriendsControllerTest < ActionController::TestCase should 'display find people button' do get :index, :profile => 'testuser' - assert_tag :tag => 'a', :content => 'Find people', :attributes => { :href => '/search/assets?asset=people' } + assert_tag :tag => 'a', :content => 'Find people', :attributes => { :href => '/search/assets?asset=people'.html_safe } end should 'not display invite friends button if any plugin tells not to' do diff --git a/test/functional/home_controller_test.rb b/test/functional/home_controller_test.rb index 32d076f..476d9a6 100644 --- a/test/functional/home_controller_test.rb +++ b/test/functional/home_controller_test.rb @@ -88,12 +88,12 @@ class HomeControllerTest < ActionController::TestCase should 'provide a link to make the user authentication' do class Plugin1 < Noosfero::Plugin def alternative_authentication_link - proc {"Plugin1 link"} + proc {"Plugin1 link".html_safe} end end class Plugin2 < Noosfero::Plugin def alternative_authentication_link - proc {"Plugin2 link"} + proc {"Plugin2 link".html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.name, Plugin2.name]) @@ -168,7 +168,7 @@ class HomeControllerTest < ActionController::TestCase should 'plugins add class to the ' do class Plugin1 < Noosfero::Plugin def html_tag_classes - lambda { ['t1', 't2'] } + lambda { ['t1'.html_safe, 't2'.html_safe] } end end diff --git a/test/functional/manage_products_controller_test.rb b/test/functional/manage_products_controller_test.rb index a7347f4..b2a494c 100644 --- a/test/functional/manage_products_controller_test.rb +++ b/test/functional/manage_products_controller_test.rb @@ -429,12 +429,12 @@ class ManageProductsControllerTest < ActionController::TestCase should 'include extra content supplied by plugins on products info extras' do class TestProductInfoExtras1Plugin < Noosfero::Plugin def product_info_extras(p) - proc {"This is Plugin1 speaking!"} + proc {"This is Plugin1 speaking!".html_safe} end end class TestProductInfoExtras2Plugin < Noosfero::Plugin def product_info_extras(p) - proc { "This is Plugin2 speaking!" } + proc { "This is Plugin2 speaking!".html_safe } end end diff --git a/test/functional/profile_controller_test.rb b/test/functional/profile_controller_test.rb index a0123fc..78b578b 100644 --- a/test/functional/profile_controller_test.rb +++ b/test/functional/profile_controller_test.rb @@ -125,7 +125,7 @@ class ProfileControllerTest < ActionController::TestCase @profile.articles.create!(:name => 'testarticle', :tag_list => 'tag1') get :content_tagged, :profile => @profile.identifier, :id => 'tag1' - assert_tag :tag => 'a', :attributes => { :href => '/tag/tag1' }, :content => 'See content tagged with "tag1" in the entire site' + assert_tag :tag => 'a', :attributes => { :href => '/tag/tag1' }, :content => 'See content tagged with "tag1" in the entire site'.html_safe end should 'show a link to own control panel' do @@ -1236,13 +1236,13 @@ class ProfileControllerTest < ActionController::TestCase should 'display plugins tabs' do class Plugin1 < Noosfero::Plugin def profile_tabs - {:title => 'Plugin1 tab', :id => 'plugin1_tab', :content => proc { 'Content from plugin1.' }} + {:title => 'Plugin1 tab', :id => 'plugin1_tab', :content => proc { 'Content from plugin1.'.html_safe }} end end class Plugin2 < Noosfero::Plugin def profile_tabs - {:title => 'Plugin2 tab', :id => 'plugin2_tab', :content => proc { 'Content from plugin2.' }} + {:title => 'Plugin2 tab', :id => 'plugin2_tab', :content => proc { 'Content from plugin2.'.html_safe }} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s]) diff --git a/test/functional/profile_editor_controller_test.rb b/test/functional/profile_editor_controller_test.rb index b48fa5b..85a21c5 100644 --- a/test/functional/profile_editor_controller_test.rb +++ b/test/functional/profile_editor_controller_test.rb @@ -991,7 +991,7 @@ class ProfileEditorControllerTest < ActionController::TestCase should 'add extra content provided by plugins on edit' do class TestProfileEditPlugin < Noosfero::Plugin def profile_editor_extras - "" + "".html_safe end end Noosfero::Plugin.stubs(:all).returns([TestProfileEditPlugin.to_s]) @@ -1007,7 +1007,7 @@ class ProfileEditorControllerTest < ActionController::TestCase class TestProfileEditPlugin < Noosfero::Plugin def profile_editor_extras lambda do - render :text => "" + (render :text => "".html_safe).html_safe end end end @@ -1032,12 +1032,12 @@ class ProfileEditorControllerTest < ActionController::TestCase should 'add extra content on person info from plugins' do class Plugin1 < Noosfero::Plugin def profile_info_extra_contents - proc {"Plugin1 text"} + proc {"Plugin1 text".html_safe} end end class Plugin2 < Noosfero::Plugin def profile_info_extra_contents - proc {"Plugin2 text"} + proc {"Plugin2 text".html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s]) @@ -1054,12 +1054,12 @@ class ProfileEditorControllerTest < ActionController::TestCase should 'add extra content on organization info from plugins' do class Plugin1 < Noosfero::Plugin def profile_info_extra_contents - proc {"Plugin1 text"} + proc {"Plugin1 text".html_safe} end end class Plugin2 < Noosfero::Plugin def profile_info_extra_contents - proc {"Plugin2 text"} + proc {"Plugin2 text".html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s]) diff --git a/test/functional/search_controller_test.rb b/test/functional/search_controller_test.rb index a8f91e4..3e1fb19 100644 --- a/test/functional/search_controller_test.rb +++ b/test/functional/search_controller_test.rb @@ -149,13 +149,13 @@ class SearchControllerTest < ActionController::TestCase should 'include extra content supplied by plugins on product asset' do class Plugin1 < Noosfero::Plugin def asset_product_extras(product) - proc {"This is Plugin1 speaking!"} + proc {"This is Plugin1 speaking!".html_safe} end end class Plugin2 < Noosfero::Plugin def asset_product_extras(product) - proc {"This is Plugin2 speaking!"} + proc {"This is Plugin2 speaking!".html_safe} end end Noosfero::Plugin.stubs(:all).returns([Plugin1.to_s, Plugin2.to_s]) diff --git a/test/mocks/test/test_controller.rb b/test/mocks/test/test_controller.rb index d83dbfb..9fa627e 100644 --- a/test/mocks/test/test_controller.rb +++ b/test/mocks/test/test_controller.rb @@ -22,7 +22,7 @@ class TestController < ApplicationController end def help_textile_with_string - render :inline => '<%= help_textile "*my_bold_help_message*" %>' + render :inline => '<%= help_textile "*my_bold_help_message*".html_safe %>' end def help_textile_with_block diff --git a/test/unit/plugin_manager_test.rb b/test/unit/plugin_manager_test.rb index dfeeb57..3726a7a 100644 --- a/test/unit/plugin_manager_test.rb +++ b/test/unit/plugin_manager_test.rb @@ -43,13 +43,13 @@ class PluginManagerTest < ActiveSupport::TestCase class Plugin1 < Noosfero::Plugin def random_event - 'Plugin 1 action.' + 'Plugin 1 action.'.html_safe end end class Plugin2 < Noosfero::Plugin def random_event - 'Plugin 2 action.' + 'Plugin 2 action.'.html_safe end end Noosfero::Plugin.stubs(:all).returns(['PluginManagerTest::Plugin1', 'PluginManagerTest::Plugin2']) @@ -70,19 +70,19 @@ class PluginManagerTest < ActiveSupport::TestCase class Plugin1 < Noosfero::Plugin def random_event - 'Plugin 1 action.' + 'Plugin 1 action.'.html_safe end end class Plugin2 < Noosfero::Plugin def random_event - 'Plugin 2 action.' + 'Plugin 2 action.'.html_safe end end class Plugin3 < Noosfero::Plugin def random_event - 'Plugin 3 action.' + 'Plugin 3 action.'.html_safe end end Noosfero::Plugin.stubs(:all).returns(['PluginManagerTest::Plugin1', 'PluginManagerTest::Plugin2', 'PluginManagerTest::Plugin3']) -- libgit2 0.21.2