Commit 5f98fb25d41fc1e1b72798e9d2250a02ab4aba7e
1 parent
bf667380
Exists in
master
and in
29 other branches
Fix custom_forms' buttons escaping HTML properly
Showing
4 changed files
with
5 additions
and
5 deletions
Show diff stats
plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
| @@ -12,7 +12,7 @@ | @@ -12,7 +12,7 @@ | ||
| 12 | <%= f.hidden_field(:position) %> | 12 | <%= f.hidden_field(:position) %> |
| 13 | 13 | ||
| 14 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> | 14 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> |
| 15 | - <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{j _('Are you sure you want to remove this field?').to_json})" %> | 15 | + <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %> |
| 16 | <%= yield %> | 16 | <%= yield %> |
| 17 | </div> | 17 | </div> |
| 18 | </fieldset> | 18 | </fieldset> |
plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
| @@ -31,8 +31,8 @@ | @@ -31,8 +31,8 @@ | ||
| 31 | </ul> | 31 | </ul> |
| 32 | 32 | ||
| 33 | <div class="addition-buttons"> | 33 | <div class="addition-buttons"> |
| 34 | - <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{j html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%> | ||
| 35 | - <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{j html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%> | 34 | + <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%> |
| 35 | + <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%> | ||
| 36 | </div> | 36 | </div> |
| 37 | 37 | ||
| 38 | <% button_bar do %> | 38 | <% button_bar do %> |
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
| @@ -7,6 +7,6 @@ | @@ -7,6 +7,6 @@ | ||
| 7 | 7 | ||
| 8 | <td> | 8 | <td> |
| 9 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> | 9 | <%= f.hidden_field :_destroy, :class => 'destroy-field' %> |
| 10 | - <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{j _('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %> | 10 | + <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %> |
| 11 | </td> | 11 | </td> |
| 12 | </tr> | 12 | </tr> |
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
| @@ -22,7 +22,7 @@ | @@ -22,7 +22,7 @@ | ||
| 22 | <tfoot> | 22 | <tfoot> |
| 23 | <tr class="addition-buttons"> | 23 | <tr class="addition-buttons"> |
| 24 | <td colspan="3"> | 24 | <td colspan="3"> |
| 25 | - <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{j html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %> | 25 | + <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %> |
| 26 | </td> | 26 | </td> |
| 27 | </tr> | 27 | </tr> |
| 28 | </tfoot> | 28 | </tfoot> |