Download as
Browse Code »

Commit 944722f4313f435988e34f9e049f373551a7a997

Authored by Larissa Reis
2 parents 6e6ba4e8 ea291c9a
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Merge branch 'raw-html-article-edit' into 'master' 

raw-html-article: escape body before rendering on edit

See merge request !557
Showing 2 changed files with 17 additions and 4 deletions   Show diff stats
app/controllers/my_profile/cms_controller.rb
  Diff comments   View file @944722f
@@ -92,6 +92,9 @@ class CmsController < MyProfileController @@ -92,6 +92,9 @@ class CmsController < MyProfileController
92 92
93 @article.article_privacy_exceptions = params[:q].split(/,/).map{|n| environment.people.find n.to_i} unless params[:q].nil? 93 @article.article_privacy_exceptions = params[:q].split(/,/).map{|n| environment.people.find n.to_i} unless params[:q].nil?
94 94
  95 + @escaped_body = CGI::escapeHTML(@article.body || '')
  96 + @escaped_abstract = CGI::escapeHTML(@article.abstract || '')
  97 +
95 @tokenized_children = prepare_to_token_input( 98 @tokenized_children = prepare_to_token_input(
96 profile.members.includes(:articles_with_access).find_all{ |m| 99 profile.members.includes(:articles_with_access).find_all{ |m|
97 m.articles_with_access.include?(@article) 100 m.articles_with_access.include?(@article)
app/views/shared/_lead_and_body.html.erb
  Diff comments   View file @944722f
@@ -19,17 +19,27 @@ @@ -19,17 +19,27 @@
19 19
20 <div class='article-lead' id="article-lead-<%=lead_id.to_s%>"> 20 <div class='article-lead' id="article-lead-<%=lead_id.to_s%>">
21 21
  22 + <% abstract_options = {:style => 'width: 100%; height: 200px;', :class => editor_type} %>
22 <% if f %> 23 <% if f %>
23 - <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %> 24 + <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, abstract_options)) %>
24 <% else %> 25 <% else %>
25 - <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %> 26 + <% if @article.kind_of?(Article) %>
  27 + <%= labelled_form_field(_(abstract_label), text_area_tag("article[abstract]", @escaped_abstract, abstract_options)) %>
  28 + <% else %>
  29 + <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, abstract_options)) %>
  30 + <% end %>
26 <% end %> 31 <% end %>
27 </div> 32 </div>
28 <div style="margin-top: 10px;"> 33 <div style="margin-top: 10px;">
  34 + <% body_options = {:style => 'width: 100%; height: 400px;', :class => editor_type} %>
29 <% if f %> 35 <% if f %>
30 - <%= labelled_form_field(_(body_label), f.text_area(body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %> 36 + <%= labelled_form_field(_(body_label), f.text_area(body_method, body_options)) %>
31 <% else %> 37 <% else %>
32 - <%= labelled_form_field(_(body_label), text_area(object, body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %> 38 + <% if @article.kind_of?(Article) %>
  39 + <%= labelled_form_field(_(body_label), text_area_tag("article[body]", @escaped_body, body_options)) %>
  40 + <% else %>
  41 + <%= labelled_form_field(_(body_label), text_area(object, body_method, body_options)) %>
  42 + <% end %>
33 <% end %> 43 <% end %>
34 </div> 44 </div>
35 45