Commit edfe30e869228bbc2ca2a7c7497bc65bed8d7336

Authored by Daniela Feitosa
1 parent d5b1ae1c

Added xss_terminate to title of uploaded_file

Also:
  * Moved integration tests to content_viewer functional test
  * Removed image_label unused method

(ActionItem1894)
app/helpers/content_viewer_helper.rb
@@ -30,10 +30,6 @@ module ContentViewerHelper @@ -30,10 +30,6 @@ module ContentViewerHelper
30 link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') ) 30 link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') )
31 end 31 end
32 32
33 - def image_label(image)  
34 - image.title.first(40) + (image.title.size > 40 ? '…' : '')  
35 - end  
36 -  
37 def article_translations(article) 33 def article_translations(article)
38 unless article.native_translation.translations.empty? 34 unless article.native_translation.translations.empty?
39 links = (article.native_translation.translations + [article.native_translation]).map do |translation| 35 links = (article.native_translation.translations + [article.native_translation]).map do |translation|
app/models/uploaded_file.rb
@@ -9,6 +9,8 @@ class UploadedFile < Article @@ -9,6 +9,8 @@ class UploadedFile < Article
9 include ShortFilename 9 include ShortFilename
10 10
11 settings_items :title, :type => 'string' 11 settings_items :title, :type => 'string'
  12 + xss_terminate :only => [ :title ]
  13 +
12 def title_with_default 14 def title_with_default
13 title_without_default || short_filename(name, 60) 15 title_without_default || short_filename(name, 60)
14 end 16 end
test/functional/content_viewer_controller_test.rb
@@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase @@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase
875 assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/} 875 assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/}
876 end 876 end
877 877
878 - should 'show only first 40 chars of abstract in image gallery' do 878 + should 'display title of image on image gallery' do
879 login_as(profile.identifier) 879 login_as(profile.identifier)
880 - folder = Gallery.create!(:name => 'gallery', :profile => profile)  
881 - file = UploadedFile.create!(:profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) 880 + folder = fast_create(Gallery, :profile_id => profile.id)
  881 + file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
  882 +
  883 + get :view_page, :profile => profile.identifier, :page => folder.explode_path
882 884
883 - file.abstract = 'a long abstract bigger then 40 chars for testing'  
884 - file.save! 885 + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
  886 + end
  887 +
  888 + should 'not allow html on title of the images' do
  889 + login_as(profile.identifier)
  890 + folder = fast_create(Gallery, :profile_id => profile.id)
  891 + file = UploadedFile.create!(:title => '<b>my img title</b>', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'))
885 892
886 get :view_page, :profile => profile.identifier, :page => folder.explode_path 893 get :view_page, :profile => profile.identifier, :page => folder.explode_path
887 894
888 - assert_tag :tag => 'li', :attributes => {:class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'a long abstract bigger then 40 chars for…'} 895 + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'}
889 end 896 end
890 897
891 should 'allow publisher owner view private articles' do 898 should 'allow publisher owner view private articles' do
test/integration/gallery_test.rb
@@ -1,36 +0,0 @@ @@ -1,36 +0,0 @@
1 -require File.dirname(__FILE__) + '/../test_helper'  
2 -  
3 -class GalleryTest < ActionController::IntegrationTest  
4 -  
5 - def setup  
6 - p = create_user('test_user').person  
7 - g = fast_create(Gallery, :profile_id => p.id, :path => 'pics')  
8 - image = UploadedFile.create!(  
9 - :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'),  
10 - :parent => g,  
11 - :profile => p,  
12 - :title => 'my img1 title',  
13 - :abstract => 'my img1 <b>long description</b>'  
14 - )  
15 - image = UploadedFile.create!(  
16 - :uploaded_data => fixture_file_upload('/files/other-pic.jpg', 'image/jpg'),  
17 - :parent => g,  
18 - :profile => p,  
19 - :title => '<b must scape title>',  
20 - :abstract => 'that is my picture description'  
21 - )  
22 - get '/test_user/pics'  
23 - end  
24 -  
25 - should 'display the title of the images when listing' do  
26 - assert_tag :tag => 'li', :attributes => { :title => 'my img1 title' }  
27 - assert_select '.image-gallery-item span', 'my img1 title'  
28 - assert_no_match(/my img1 <b>long description/, @response.body)  
29 - end  
30 -  
31 - should 'scape the title of the images' do  
32 - assert_select '.image-gallery-item:first-child span',  
33 - '&lt;b must scape title&gt;'  
34 - end  
35 -  
36 -end