not escape HTML on LinkListBlock edition

Joenio Costa
1 parent d2753ec3
Showing 3 changed files with 17 additions and 5 deletions Show diff stats
app/models/link_list_block.rb
app/views/box_organizer/_icon_selector.html.erb
test/integration/safe_strings_test.rb
@@ -81,10 +81,8 @@ class LinkListBlock &lt; Block
     end
   end
  
-  def icons_options
-    ICONS.map do |i|
-      "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
-    end
+  def icons
+    ICONS
   end
  
 end
@@ -2,6 +2,8 @@
   <%= hidden_field_tag 'block[links][][icon]', icon %>
   <span class='icon-<%= icon %>' style='display:block; width:16px; height:16px;'></span>
   <div class="icon-selector" style='display:none;'>
-     <%= @block.icons_options.join %>
+    <% @block.icons.map do |i| %>
+      <%= content_tag('span', '', :title => i[1], :class => "icon-#{i[0]}", :onclick => "changeIcon(this, '#{i[0]}')") %>
+    <% end %>
   </div>
 </div>
@@ -163,4 +163,16 @@ class SafeStringsTest &lt; ActionDispatch::IntegrationTest
     get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id)
     assert_select '.block-config-options .image-data-line'
   end
+
+  should 'not escape icons options editing link_list block' do
+    create_user('jimi', :password => 'test', :password_confirmation => 'test').activate
+    profile = Person['jimi']
+    login 'jimi', 'test'
+    profile.blocks.each(&:destroy)
+    profile.boxes.first.blocks << LinkListBlock.new
+    block = profile.boxes.first.blocks.first
+    get "/myprofile/#{profile.identifier}/profile_design/edit/#{block.id}"
+    assert_select '.icon-selector .icon-edit'
+  end
+
 end
...	...	@@ -81,10 +81,8 @@ class LinkListBlock < Block
81	81	end
82	82	end
83	83
84		- def icons_options
85		- ICONS.map do \|i\|
86		- "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
87		- end
	84	+ def icons
	85	+ ICONS
88	86	end
89	87
90	88	end
...	...
...	...	@@ -2,6 +2,8 @@
2	2	<%= hidden_field_tag 'block[links][][icon]', icon %>
3	3	<span class='icon-<%= icon %>' style='display:block; width:16px; height:16px;'></span>
4	4	<div class="icon-selector" style='display:none;'>
5		- <%= @block.icons_options.join %>
	5	+ <% @block.icons.map do \|i\| %>
	6	+ <%= content_tag('span', '', :title => i[1], :class => "icon-#{i[0]}", :onclick => "changeIcon(this, '#{i[0]}')") %>
	7	+ <% end %>
6	8	</div>
7	9	</div>
...	...
...	...	@@ -163,4 +163,16 @@ class SafeStringsTest < ActionDispatch::IntegrationTest
163	163	get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id)
164	164	assert_select '.block-config-options .image-data-line'
165	165	end
	166	+
	167	+ should 'not escape icons options editing link_list block' do
	168	+ create_user('jimi', :password => 'test', :password_confirmation => 'test').activate
	169	+ profile = Person['jimi']
	170	+ login 'jimi', 'test'
	171	+ profile.blocks.each(&:destroy)
	172	+ profile.boxes.first.blocks << LinkListBlock.new
	173	+ block = profile.boxes.first.blocks.first
	174	+ get "/myprofile/#{profile.identifier}/profile_design/edit/#{block.id}"
	175	+ assert_select '.icon-selector .icon-edit'
	176	+ end
	177	+
166	178	end
...	...