Download as
Browse Code »

Commit edfe30e869228bbc2ca2a7c7497bc65bed8d7336

Authored by Daniela Feitosa
1 parent d5b1ae1c
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Added xss_terminate to title of uploaded_file 

Also:
  * Moved integration tests to content_viewer functional test
  * Removed image_label unused method

(ActionItem1894)
Showing 4 changed files with 15 additions and 46 deletions   Show diff stats
app/helpers/content_viewer_helper.rb
  Diff comments   View file @edfe30e
... ... @@ -30,10 +30,6 @@ module ContentViewerHelper
30 30 link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') )
31 31 end
32 32  
33   - def image_label(image)
34   - image.title.first(40) + (image.title.size > 40 ? '…' : '')
35   - end
36   -
37 33 def article_translations(article)
38 34 unless article.native_translation.translations.empty?
39 35 links = (article.native_translation.translations + [article.native_translation]).map do |translation|
... ...
app/models/uploaded_file.rb
  Diff comments   View file @edfe30e
... ... @@ -9,6 +9,8 @@ class UploadedFile < Article
9 9 include ShortFilename
10 10  
11 11 settings_items :title, :type => 'string'
  12 + xss_terminate :only => [ :title ]
  13 +
12 14 def title_with_default
13 15 title_without_default || short_filename(name, 60)
14 16 end
... ...
test/functional/content_viewer_controller_test.rb
  Diff comments   View file @edfe30e
... ... @@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase
875 875 assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/}
876 876 end
877 877  
878   - should 'show only first 40 chars of abstract in image gallery' do
  878 + should 'display title of image on image gallery' do
879 879 login_as(profile.identifier)
880   - folder = Gallery.create!(:name => 'gallery', :profile => profile)
881   - file = UploadedFile.create!(:profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
  880 + folder = fast_create(Gallery, :profile_id => profile.id)
  881 + file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
  882 +
  883 + get :view_page, :profile => profile.identifier, :page => folder.explode_path
882 884  
883   - file.abstract = 'a long abstract bigger then 40 chars for testing'
884   - file.save!
  885 + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
  886 + end
  887 +
  888 + should 'not allow html on title of the images' do
  889 + login_as(profile.identifier)
  890 + folder = fast_create(Gallery, :profile_id => profile.id)
  891 + file = UploadedFile.create!(:title => '<b>my img title</b>', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
885 892  
886 893 get :view_page, :profile => profile.identifier, :page => folder.explode_path
887 894  
888   - assert_tag :tag => 'li', :attributes => {:class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'a long abstract bigger then 40 chars for…'}
  895 + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
889 896 end
890 897  
891 898 should 'allow publisher owner view private articles' do
... ...
test/integration/gallery_test.rb
View file @d5b1ae1
... ... @@ -1,36 +0,0 @@
1   -require File.dirname(__FILE__) + '/../test_helper'
2   -
3   -class GalleryTest < ActionController::IntegrationTest
4   -
5   - def setup
6   - p = create_user('test_user').person
7   - g = fast_create(Gallery, :profile_id => p.id, :path => 'pics')
8   - image = UploadedFile.create!(
9   - :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'),
10   - :parent => g,
11   - :profile => p,
12   - :title => 'my img1 title',
13   - :abstract => 'my img1 <b>long description</b>'
14   - )
15   - image = UploadedFile.create!(
16   - :uploaded_data => fixture_file_upload('/files/other-pic.jpg', 'image/jpg'),
17   - :parent => g,
18   - :profile => p,
19   - :title => '<b must scape title>',
20   - :abstract => 'that is my picture description'
21   - )
22   - get '/test_user/pics'
23   - end
24   -
25   - should 'display the title of the images when listing' do
26   - assert_tag :tag => 'li', :attributes => { :title => 'my img1 title' }
27   - assert_select '.image-gallery-item span', 'my img1 title'
28   - assert_no_match(/my img1 <b>long description/, @response.body)
29   - end
30   -
31   - should 'scape the title of the images' do
32   - assert_select '.image-gallery-item:first-child span',
33   - '&lt;b must scape title&gt;'
34   - end
35   -
36   -end