Commit edfe30e869228bbc2ca2a7c7497bc65bed8d7336
1 parent
d5b1ae1c
Exists in
master
and in
29 other branches
Added xss_terminate to title of uploaded_file
Also: * Moved integration tests to content_viewer functional test * Removed image_label unused method (ActionItem1894)
Showing
4 changed files
with
15 additions
and
46 deletions
Show diff stats
app/helpers/content_viewer_helper.rb
| @@ -30,10 +30,6 @@ module ContentViewerHelper | @@ -30,10 +30,6 @@ module ContentViewerHelper | ||
| 30 | link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') ) | 30 | link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') ) |
| 31 | end | 31 | end |
| 32 | 32 | ||
| 33 | - def image_label(image) | ||
| 34 | - image.title.first(40) + (image.title.size > 40 ? '…' : '') | ||
| 35 | - end | ||
| 36 | - | ||
| 37 | def article_translations(article) | 33 | def article_translations(article) |
| 38 | unless article.native_translation.translations.empty? | 34 | unless article.native_translation.translations.empty? |
| 39 | links = (article.native_translation.translations + [article.native_translation]).map do |translation| | 35 | links = (article.native_translation.translations + [article.native_translation]).map do |translation| |
app/models/uploaded_file.rb
| @@ -9,6 +9,8 @@ class UploadedFile < Article | @@ -9,6 +9,8 @@ class UploadedFile < Article | ||
| 9 | include ShortFilename | 9 | include ShortFilename |
| 10 | 10 | ||
| 11 | settings_items :title, :type => 'string' | 11 | settings_items :title, :type => 'string' |
| 12 | + xss_terminate :only => [ :title ] | ||
| 13 | + | ||
| 12 | def title_with_default | 14 | def title_with_default |
| 13 | title_without_default || short_filename(name, 60) | 15 | title_without_default || short_filename(name, 60) |
| 14 | end | 16 | end |
test/functional/content_viewer_controller_test.rb
| @@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase | @@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase | ||
| 875 | assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/} | 875 | assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/} |
| 876 | end | 876 | end |
| 877 | 877 | ||
| 878 | - should 'show only first 40 chars of abstract in image gallery' do | 878 | + should 'display title of image on image gallery' do |
| 879 | login_as(profile.identifier) | 879 | login_as(profile.identifier) |
| 880 | - folder = Gallery.create!(:name => 'gallery', :profile => profile) | ||
| 881 | - file = UploadedFile.create!(:profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | 880 | + folder = fast_create(Gallery, :profile_id => profile.id) |
| 881 | + file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | ||
| 882 | + | ||
| 883 | + get :view_page, :profile => profile.identifier, :page => folder.explode_path | ||
| 882 | 884 | ||
| 883 | - file.abstract = 'a long abstract bigger then 40 chars for testing' | ||
| 884 | - file.save! | 885 | + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'} |
| 886 | + end | ||
| 887 | + | ||
| 888 | + should 'not allow html on title of the images' do | ||
| 889 | + login_as(profile.identifier) | ||
| 890 | + folder = fast_create(Gallery, :profile_id => profile.id) | ||
| 891 | + file = UploadedFile.create!(:title => '<b>my img title</b>', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | ||
| 885 | 892 | ||
| 886 | get :view_page, :profile => profile.identifier, :page => folder.explode_path | 893 | get :view_page, :profile => profile.identifier, :page => folder.explode_path |
| 887 | 894 | ||
| 888 | - assert_tag :tag => 'li', :attributes => {:class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'a long abstract bigger then 40 chars for…'} | 895 | + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'} |
| 889 | end | 896 | end |
| 890 | 897 | ||
| 891 | should 'allow publisher owner view private articles' do | 898 | should 'allow publisher owner view private articles' do |
test/integration/gallery_test.rb
| @@ -1,36 +0,0 @@ | @@ -1,36 +0,0 @@ | ||
| 1 | -require File.dirname(__FILE__) + '/../test_helper' | ||
| 2 | - | ||
| 3 | -class GalleryTest < ActionController::IntegrationTest | ||
| 4 | - | ||
| 5 | - def setup | ||
| 6 | - p = create_user('test_user').person | ||
| 7 | - g = fast_create(Gallery, :profile_id => p.id, :path => 'pics') | ||
| 8 | - image = UploadedFile.create!( | ||
| 9 | - :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), | ||
| 10 | - :parent => g, | ||
| 11 | - :profile => p, | ||
| 12 | - :title => 'my img1 title', | ||
| 13 | - :abstract => 'my img1 <b>long description</b>' | ||
| 14 | - ) | ||
| 15 | - image = UploadedFile.create!( | ||
| 16 | - :uploaded_data => fixture_file_upload('/files/other-pic.jpg', 'image/jpg'), | ||
| 17 | - :parent => g, | ||
| 18 | - :profile => p, | ||
| 19 | - :title => '<b must scape title>', | ||
| 20 | - :abstract => 'that is my picture description' | ||
| 21 | - ) | ||
| 22 | - get '/test_user/pics' | ||
| 23 | - end | ||
| 24 | - | ||
| 25 | - should 'display the title of the images when listing' do | ||
| 26 | - assert_tag :tag => 'li', :attributes => { :title => 'my img1 title' } | ||
| 27 | - assert_select '.image-gallery-item span', 'my img1 title' | ||
| 28 | - assert_no_match(/my img1 <b>long description/, @response.body) | ||
| 29 | - end | ||
| 30 | - | ||
| 31 | - should 'scape the title of the images' do | ||
| 32 | - assert_select '.image-gallery-item:first-child span', | ||
| 33 | - '<b must scape title>' | ||
| 34 | - end | ||
| 35 | - | ||
| 36 | -end |