CustomFormsPlugin: should not escape javascripts elements

Leandro Santos
1 parent fbdee132
Showing 7 changed files with 8 additions and 8 deletions Show diff stats
plugins/custom_forms/lib/custom_forms_plugin/helper.rb
plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
plugins/custom_forms/views/shared/_form_submission.html.erb
@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper
   def display_custom_field(field, submission, form)
     sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
     answer = submission.answers.select{|answer| answer.field == field}.first
-    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
+    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form).html_safe
     if field.mandatory? && submission.id.nil?
       required(labelled_form_field(sanitized_name, field_tag))
     else
@@ -12,7 +12,7 @@
   <%= f.hidden_field(:position) %>
   <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %>
+  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{_('Are you sure you want to remove this field?').to_json})" %>
   <%= yield %>
 </div>
 </fieldset>
@@ -51,8 +51,8 @@
 </ul>
 <div class="addition-buttons">
-  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%>
-  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%>
+  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%>
+  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%>
 </div>
 <%= button_bar do %>
@@ -7,6 +7,6 @@
   <td>
     <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %>
+    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{_('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %>
   </td>
 </tr>
@@ -22,7 +22,7 @@
     <tfoot>
     <tr class="addition-buttons">
       <td colspan="3">
-      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %>
+      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %>
       </td>
     </tr>
     </tfoot>
 <div id="custom-forms-plugin_submission">
 <h1><%= @form.name %></h1>
-<p><%= @form.description %></p>
+<p><%= @form.description.html_safe %></p>
 <% if @submission.id.nil? %>
   <% if @form.expired? %>
 <% self.extend(CustomFormsPlugin::Helper) %>
 <% @form.fields.each do |field| %>
-  <%= display_custom_field(field, @submission, f.object_name) %>
+  <%= display_custom_field(field, @submission, f.object_name).html_safe %>
 <% end %>
	@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper		@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper
71	def display_custom_field(field, submission, form)	71	def display_custom_field(field, submission, form)
72	sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name	72	sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
73	answer = submission.answers.select{\|answer\| answer.field == field}.first	73	answer = submission.answers.select{\|answer\| answer.field == field}.first
74	- field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)	74	+ field_tag = send("display_#{type_for_options(field.class)}",field, answer, form).html_safe
75	if field.mandatory? && submission.id.nil?	75	if field.mandatory? && submission.id.nil?
76	required(labelled_form_field(sanitized_name, field_tag))	76	required(labelled_form_field(sanitized_name, field_tag))
77	else	77	else
	@@ -12,7 +12,7 @@		@@ -12,7 +12,7 @@
12	<%= f.hidden_field(:position) %>	12	<%= f.hidden_field(:position) %>
13		13
14	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>	14	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>
15	- <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %>	15	+ <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{_('Are you sure you want to remove this field?').to_json})" %>
16	<%= yield %>	16	<%= yield %>
17	</div>	17	</div>
18	</fieldset>	18	</fieldset>
	@@ -7,6 +7,6 @@		@@ -7,6 +7,6 @@
7		7
8	<td>	8	<td>
9	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>	9	<%= f.hidden_field :_destroy, :class => 'destroy-field' %>
10	- <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %>	10	+ <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{_('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %>
11	</td>	11	</td>
12	</tr>	12	</tr>
	@@ -22,7 +22,7 @@		@@ -22,7 +22,7 @@
22	<tfoot>	22	<tfoot>
23	<tr class="addition-buttons">	23	<tr class="addition-buttons">
24	<td colspan="3">	24	<td colspan="3">
25	- <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %>	25	+ <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %>
26	</td>	26	</td>
27	</tr>	27	</tr>
28	</tfoot>	28	</tfoot>
1	<div id="custom-forms-plugin_submission">	1	<div id="custom-forms-plugin_submission">
2		2
3	<h1><%= @form.name %></h1>	3	<h1><%= @form.name %></h1>
4	-<p><%= @form.description %></p>	4	+<p><%= @form.description.html_safe %></p>
5		5
6	<% if @submission.id.nil? %>	6	<% if @submission.id.nil? %>
7	<% if @form.expired? %>	7	<% if @form.expired? %>
1	<% self.extend(CustomFormsPlugin::Helper) %>	1	<% self.extend(CustomFormsPlugin::Helper) %>
2		2
3	<% @form.fields.each do \|field\| %>	3	<% @form.fields.each do \|field\| %>
4	- <%= display_custom_field(field, @submission, f.object_name) %>	4	+ <%= display_custom_field(field, @submission, f.object_name).html_safe %>
5	<% end %>	5	<% end %>