diff --git a/app/helpers/content_viewer_helper.rb b/app/helpers/content_viewer_helper.rb
index 486b2ea..8fc4960 100644
--- a/app/helpers/content_viewer_helper.rb
+++ b/app/helpers/content_viewer_helper.rb
@@ -30,10 +30,6 @@ module ContentViewerHelper
link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') )
end
- def image_label(image)
- image.title.first(40) + (image.title.size > 40 ? '…' : '')
- end
-
def article_translations(article)
unless article.native_translation.translations.empty?
links = (article.native_translation.translations + [article.native_translation]).map do |translation|
diff --git a/app/models/uploaded_file.rb b/app/models/uploaded_file.rb
index ef23258..029929b 100644
--- a/app/models/uploaded_file.rb
+++ b/app/models/uploaded_file.rb
@@ -9,6 +9,8 @@ class UploadedFile < Article
include ShortFilename
settings_items :title, :type => 'string'
+ xss_terminate :only => [ :title ]
+
def title_with_default
title_without_default || short_filename(name, 60)
end
diff --git a/test/functional/content_viewer_controller_test.rb b/test/functional/content_viewer_controller_test.rb
index 52c6b05..5aa1cc2 100644
--- a/test/functional/content_viewer_controller_test.rb
+++ b/test/functional/content_viewer_controller_test.rb
@@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase
assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/}
end
- should 'show only first 40 chars of abstract in image gallery' do
+ should 'display title of image on image gallery' do
login_as(profile.identifier)
- folder = Gallery.create!(:name => 'gallery', :profile => profile)
- file = UploadedFile.create!(:profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
+ folder = fast_create(Gallery, :profile_id => profile.id)
+ file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
+
+ get :view_page, :profile => profile.identifier, :page => folder.explode_path
- file.abstract = 'a long abstract bigger then 40 chars for testing'
- file.save!
+ assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
+ end
+
+ should 'not allow html on title of the images' do
+ login_as(profile.identifier)
+ folder = fast_create(Gallery, :profile_id => profile.id)
+ file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
get :view_page, :profile => profile.identifier, :page => folder.explode_path
- assert_tag :tag => 'li', :attributes => {:class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'a long abstract bigger then 40 chars for…'}
+ assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
end
should 'allow publisher owner view private articles' do
diff --git a/test/integration/gallery_test.rb b/test/integration/gallery_test.rb
deleted file mode 100644
index b575eea..0000000
--- a/test/integration/gallery_test.rb
+++ /dev/null
@@ -1,36 +0,0 @@
-require File.dirname(__FILE__) + '/../test_helper'
-
-class GalleryTest < ActionController::IntegrationTest
-
- def setup
- p = create_user('test_user').person
- g = fast_create(Gallery, :profile_id => p.id, :path => 'pics')
- image = UploadedFile.create!(
- :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'),
- :parent => g,
- :profile => p,
- :title => 'my img1 title',
- :abstract => 'my img1 long description'
- )
- image = UploadedFile.create!(
- :uploaded_data => fixture_file_upload('/files/other-pic.jpg', 'image/jpg'),
- :parent => g,
- :profile => p,
- :title => '',
- :abstract => 'that is my picture description'
- )
- get '/test_user/pics'
- end
-
- should 'display the title of the images when listing' do
- assert_tag :tag => 'li', :attributes => { :title => 'my img1 title' }
- assert_select '.image-gallery-item span', 'my img1 title'
- assert_no_match(/my img1 long description/, @response.body)
- end
-
- should 'scape the title of the images' do
- assert_select '.image-gallery-item:first-child span',
- '<b must scape title>'
- end
-
-end
--
libgit2 0.21.2