Commit 464b8a1c2b438cda7f000d22c92d40a05af28012
Exists in
send_email_to_admins
and in
5 other branches
Merge branch 'html-safe-tasks' into 'master'
html_safe: avoid escape task information string See merge request !889
Showing
2 changed files
with
9 additions
and
1 deletions
Show diff stats
app/views/profile_editor/_pending_tasks.html.erb
| ... | ... | @@ -4,7 +4,7 @@ |
| 4 | 4 | <div class='pending-tasks'> |
| 5 | 5 | <h2><%= _('You have pending requests') %></h2> |
| 6 | 6 | <ul> |
| 7 | - <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task))}) %> | |
| 7 | + <%= safe_join(@pending_tasks.map {|task| content_tag('li', task_information(task).html_safe)}) %> | |
| 8 | 8 | </ul> |
| 9 | 9 | <%= button(:todo, _('Process requests'), :controller => 'tasks', :action => 'index') %> |
| 10 | 10 | </div> | ... | ... |
test/integration/safe_strings_test.rb
| ... | ... | @@ -84,4 +84,12 @@ class SafeStringsTest < ActionDispatch::IntegrationTest |
| 84 | 84 | } |
| 85 | 85 | end |
| 86 | 86 | |
| 87 | + should 'not escape task information on manage profile' do | |
| 88 | + create_user('marley', :password => 'test', :password_confirmation => 'test').activate | |
| 89 | + person = Person['marley'] | |
| 90 | + task = create(Task, :requestor => person, :target => person) | |
| 91 | + login 'marley', 'test' | |
| 92 | + get "/myprofile/marley" | |
| 93 | + assert_select ".pending-tasks ul li a" | |
| 94 | + end | |
| 87 | 95 | end | ... | ... |