Commit edfe30e869228bbc2ca2a7c7497bc65bed8d7336
1 parent
d5b1ae1c
Exists in
master
and in
29 other branches
Added xss_terminate to title of uploaded_file
Also: * Moved integration tests to content_viewer functional test * Removed image_label unused method (ActionItem1894)
Showing
4 changed files
with
15 additions
and
46 deletions
Show diff stats
app/helpers/content_viewer_helper.rb
@@ -30,10 +30,6 @@ module ContentViewerHelper | @@ -30,10 +30,6 @@ module ContentViewerHelper | ||
30 | link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') ) | 30 | link_to( number_of_comments(article), article.url.merge(:anchor => 'comments_list') ) |
31 | end | 31 | end |
32 | 32 | ||
33 | - def image_label(image) | ||
34 | - image.title.first(40) + (image.title.size > 40 ? '…' : '') | ||
35 | - end | ||
36 | - | ||
37 | def article_translations(article) | 33 | def article_translations(article) |
38 | unless article.native_translation.translations.empty? | 34 | unless article.native_translation.translations.empty? |
39 | links = (article.native_translation.translations + [article.native_translation]).map do |translation| | 35 | links = (article.native_translation.translations + [article.native_translation]).map do |translation| |
app/models/uploaded_file.rb
@@ -9,6 +9,8 @@ class UploadedFile < Article | @@ -9,6 +9,8 @@ class UploadedFile < Article | ||
9 | include ShortFilename | 9 | include ShortFilename |
10 | 10 | ||
11 | settings_items :title, :type => 'string' | 11 | settings_items :title, :type => 'string' |
12 | + xss_terminate :only => [ :title ] | ||
13 | + | ||
12 | def title_with_default | 14 | def title_with_default |
13 | title_without_default || short_filename(name, 60) | 15 | title_without_default || short_filename(name, 60) |
14 | end | 16 | end |
test/functional/content_viewer_controller_test.rb
@@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase | @@ -875,17 +875,24 @@ class ContentViewerControllerTest < Test::Unit::TestCase | ||
875 | assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/} | 875 | assert_no_tag :tag => 'a', :content => 'Upload files', :attributes => {:href => /parent_id=#{b.id}/} |
876 | end | 876 | end |
877 | 877 | ||
878 | - should 'show only first 40 chars of abstract in image gallery' do | 878 | + should 'display title of image on image gallery' do |
879 | login_as(profile.identifier) | 879 | login_as(profile.identifier) |
880 | - folder = Gallery.create!(:name => 'gallery', :profile => profile) | ||
881 | - file = UploadedFile.create!(:profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | 880 | + folder = fast_create(Gallery, :profile_id => profile.id) |
881 | + file = UploadedFile.create!(:title => 'my img title', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | ||
882 | + | ||
883 | + get :view_page, :profile => profile.identifier, :page => folder.explode_path | ||
882 | 884 | ||
883 | - file.abstract = 'a long abstract bigger then 40 chars for testing' | ||
884 | - file.save! | 885 | + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'} |
886 | + end | ||
887 | + | ||
888 | + should 'not allow html on title of the images' do | ||
889 | + login_as(profile.identifier) | ||
890 | + folder = fast_create(Gallery, :profile_id => profile.id) | ||
891 | + file = UploadedFile.create!(:title => '<b>my img title</b>', :profile => profile, :parent => folder, :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png')) | ||
885 | 892 | ||
886 | get :view_page, :profile => profile.identifier, :page => folder.explode_path | 893 | get :view_page, :profile => profile.identifier, :page => folder.explode_path |
887 | 894 | ||
888 | - assert_tag :tag => 'li', :attributes => {:class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'a long abstract bigger then 40 chars for…'} | 895 | + assert_tag :tag => 'li', :attributes => {:title => 'my img title', :class => 'image-gallery-item'}, :child => {:tag => 'span', :content => 'my img title'} |
889 | end | 896 | end |
890 | 897 | ||
891 | should 'allow publisher owner view private articles' do | 898 | should 'allow publisher owner view private articles' do |
test/integration/gallery_test.rb
@@ -1,36 +0,0 @@ | @@ -1,36 +0,0 @@ | ||
1 | -require File.dirname(__FILE__) + '/../test_helper' | ||
2 | - | ||
3 | -class GalleryTest < ActionController::IntegrationTest | ||
4 | - | ||
5 | - def setup | ||
6 | - p = create_user('test_user').person | ||
7 | - g = fast_create(Gallery, :profile_id => p.id, :path => 'pics') | ||
8 | - image = UploadedFile.create!( | ||
9 | - :uploaded_data => fixture_file_upload('/files/rails.png', 'image/png'), | ||
10 | - :parent => g, | ||
11 | - :profile => p, | ||
12 | - :title => 'my img1 title', | ||
13 | - :abstract => 'my img1 <b>long description</b>' | ||
14 | - ) | ||
15 | - image = UploadedFile.create!( | ||
16 | - :uploaded_data => fixture_file_upload('/files/other-pic.jpg', 'image/jpg'), | ||
17 | - :parent => g, | ||
18 | - :profile => p, | ||
19 | - :title => '<b must scape title>', | ||
20 | - :abstract => 'that is my picture description' | ||
21 | - ) | ||
22 | - get '/test_user/pics' | ||
23 | - end | ||
24 | - | ||
25 | - should 'display the title of the images when listing' do | ||
26 | - assert_tag :tag => 'li', :attributes => { :title => 'my img1 title' } | ||
27 | - assert_select '.image-gallery-item span', 'my img1 title' | ||
28 | - assert_no_match(/my img1 <b>long description/, @response.body) | ||
29 | - end | ||
30 | - | ||
31 | - should 'scape the title of the images' do | ||
32 | - assert_select '.image-gallery-item:first-child span', | ||
33 | - '<b must scape title>' | ||
34 | - end | ||
35 | - | ||
36 | -end |