Merge commit 'refs/merge-requests/299' of git://gitorious.org/noosfero/noosfero …

…into merge-requests/299

Merge commit 'refs/merge-requests/299' of git://gitorious.org/noosfero/noosfero …
…into merge-requests/299
Rodrigo Souto
2 parents b1e9dfaf 1df7a3b9
Showing 2 changed files with 14 additions and 1 deletions Show diff stats
app/helpers/block_helper.rb
test/unit/block_helper_test.rb
@@ -3,7 +3,7 @@ module BlockHelper
   def block_title(title)
     tag_class = 'block-title'
     tag_class += ' empty' if title.empty?
-    content_tag 'h3', content_tag('span', title), :class => tag_class
+    content_tag 'h3', content_tag('span', h(title)), :class => tag_class
   end
 end
@@ -0,0 +1,13 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class BlogHelperTest < ActiveSupport::TestCase
+
+  include BlockHelper
+  include ActionView::Helpers::TagHelper
+
+  should 'escape title html' do
+    assert_no_match /<b>/, block_title('<b>test</b>')
+    assert_match /&lt;b&gt;test&lt;\/b&gt;/, block_title('<b>test</b>')
+  end
+
+end
	@@ -3,7 +3,7 @@ module BlockHelper		@@ -3,7 +3,7 @@ module BlockHelper
3	def block_title(title)	3	def block_title(title)
4	tag_class = 'block-title'	4	tag_class = 'block-title'
5	tag_class += ' empty' if title.empty?	5	tag_class += ' empty' if title.empty?
6	- content_tag 'h3', content_tag('span', title), :class => tag_class	6	+ content_tag 'h3', content_tag('span', h(title)), :class => tag_class
7	end	7	end
8		8
9	end	9	end
@@ -0,0 +1,13 @@		@@ -0,0 +1,13 @@
	1	+require File.dirname(__FILE__) + '/../test_helper'
	2	+
	3	+class BlogHelperTest < ActiveSupport::TestCase
	4	+
	5	+ include BlockHelper
	6	+ include ActionView::Helpers::TagHelper
	7	+
	8	+ should 'escape title html' do
	9	+ assert_no_match /<b>/, block_title('<b>test</b>')
	10	+ assert_match /<b>test<\/b>/, block_title('<b>test</b>')
	11	+ end
	12	+
	13	+end