Commit 944722f4313f435988e34f9e049f373551a7a997
Exists in
master
and in
29 other branches
Merge branch 'raw-html-article-edit' into 'master'
raw-html-article: escape body before rendering on edit See merge request !557
Showing
2 changed files
with
17 additions
and
4 deletions
Show diff stats
app/controllers/my_profile/cms_controller.rb
@@ -92,6 +92,9 @@ class CmsController < MyProfileController | @@ -92,6 +92,9 @@ class CmsController < MyProfileController | ||
92 | 92 | ||
93 | @article.article_privacy_exceptions = params[:q].split(/,/).map{|n| environment.people.find n.to_i} unless params[:q].nil? | 93 | @article.article_privacy_exceptions = params[:q].split(/,/).map{|n| environment.people.find n.to_i} unless params[:q].nil? |
94 | 94 | ||
95 | + @escaped_body = CGI::escapeHTML(@article.body || '') | ||
96 | + @escaped_abstract = CGI::escapeHTML(@article.abstract || '') | ||
97 | + | ||
95 | @tokenized_children = prepare_to_token_input( | 98 | @tokenized_children = prepare_to_token_input( |
96 | profile.members.includes(:articles_with_access).find_all{ |m| | 99 | profile.members.includes(:articles_with_access).find_all{ |m| |
97 | m.articles_with_access.include?(@article) | 100 | m.articles_with_access.include?(@article) |
app/views/shared/_lead_and_body.html.erb
@@ -19,17 +19,27 @@ | @@ -19,17 +19,27 @@ | ||
19 | 19 | ||
20 | <div class='article-lead' id="article-lead-<%=lead_id.to_s%>"> | 20 | <div class='article-lead' id="article-lead-<%=lead_id.to_s%>"> |
21 | 21 | ||
22 | + <% abstract_options = {:style => 'width: 100%; height: 200px;', :class => editor_type} %> | ||
22 | <% if f %> | 23 | <% if f %> |
23 | - <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %> | 24 | + <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, abstract_options)) %> |
24 | <% else %> | 25 | <% else %> |
25 | - <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %> | 26 | + <% if @article.kind_of?(Article) %> |
27 | + <%= labelled_form_field(_(abstract_label), text_area_tag("article[abstract]", @escaped_abstract, abstract_options)) %> | ||
28 | + <% else %> | ||
29 | + <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, abstract_options)) %> | ||
30 | + <% end %> | ||
26 | <% end %> | 31 | <% end %> |
27 | </div> | 32 | </div> |
28 | <div style="margin-top: 10px;"> | 33 | <div style="margin-top: 10px;"> |
34 | + <% body_options = {:style => 'width: 100%; height: 400px;', :class => editor_type} %> | ||
29 | <% if f %> | 35 | <% if f %> |
30 | - <%= labelled_form_field(_(body_label), f.text_area(body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %> | 36 | + <%= labelled_form_field(_(body_label), f.text_area(body_method, body_options)) %> |
31 | <% else %> | 37 | <% else %> |
32 | - <%= labelled_form_field(_(body_label), text_area(object, body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %> | 38 | + <% if @article.kind_of?(Article) %> |
39 | + <%= labelled_form_field(_(body_label), text_area_tag("article[body]", @escaped_body, body_options)) %> | ||
40 | + <% else %> | ||
41 | + <%= labelled_form_field(_(body_label), text_area(object, body_method, body_options)) %> | ||
42 | + <% end %> | ||
33 | <% end %> | 43 | <% end %> |
34 | </div> | 44 | </div> |
35 | 45 |