Commit d9a2d31d85b076c23529315ccfea83b5d97b2ae1

Authored by Braulio Bhavamitra
2 parents 0dd4a244 76f856ad

Merge branch 'product-qualifier-fix' into 'master'

Fixes Edit Product page

'Add new qualifiers' in edit product was broken in rails 3 for two reasons: lack of escaping html characters and the qualifiers list wasn't accessible through mass assignment.

I came across this while working on another issue but I decided to extract the commits and submit to the master branch so we don't have to wait the other merge request.

See merge request !401
app/helpers/content_viewer_helper.rb
... ... @@ -45,7 +45,7 @@ module ContentViewerHelper
45 45 { article.environment.locales[translation.language] => { :href => url_for(translation.url) } }
46 46 end
47 47 content_tag(:div, link_to(_('Translations'), '#',
48   - :onmouseover => "toggleSubmenu(this, '#{_('Translations')}', #{links.to_json}); return false",
  48 + :onmouseover => "toggleSubmenu(this, '#{_('Translations')}', #{CGI::escape_html(links.to_json)}); return false",
49 49 :class => 'article-translations-menu simplemenu-trigger up'),
50 50 :class => 'article-translations')
51 51 end
... ...
app/models/product.rb
... ... @@ -11,7 +11,7 @@ class Product < ActiveRecord::Base
11 11  
12 12 SEARCH_DISPLAYS = %w[map full]
13 13  
14   - attr_accessible :name, :product_category, :highlighted, :price, :enterprise, :image_builder, :description, :available, :qualifiers, :unit_id, :discount, :inputs
  14 + attr_accessible :name, :product_category, :highlighted, :price, :enterprise, :image_builder, :description, :available, :qualifiers, :unit_id, :discount, :inputs, :qualifiers_list
15 15  
16 16 def self.default_search_display
17 17 'full'
... ...
app/views/manage_products/_edit_info.html.erb
... ... @@ -47,7 +47,7 @@
47 47 <%= button_to_function(
48 48 :add,
49 49 _('Add new qualifier'),
50   - "new_qualifier_row('#product-qualifiers-list', '#{escape_javascript(select_qualifiers(@product))}', '#{escape_javascript(remove_qualifier_button)}')"
  50 + "new_qualifier_row('#product-qualifiers-list', '#{escape_javascript(CGI::escape_html(select_qualifiers(@product)))}', '#{escape_javascript(CGI::escape_html(remove_qualifier_button))}')"
51 51 ) %>
52 52 <%= hidden_field_tag "product[qualifiers_list][nil]" %>
53 53 <% end %>
... ...