[noosfero/noosfero][master] 2 commits: raw-html-article: escape body before rendering on edit
Larissa Reis
gitlab at gitlab.com
Thu Jun 11 09:53:00 BRT 2015
Larissa Reis pushed to branch master at Noosfero / noosfero
Commits:
ea291c9a by Rodrigo Souto at 2015-06-01T17:03:06Z
raw-html-article: escape body before rendering on edit
- - - - -
944722f4 by Larissa Reis at 2015-06-11T12:52:52Z
Merge branch 'raw-html-article-edit' into 'master'
raw-html-article: escape body before rendering on edit
See merge request !557
- - - - -
2 changed files:
- app/controllers/my_profile/cms_controller.rb
- app/views/shared/_lead_and_body.html.erb
Changes:
=====================================
app/controllers/my_profile/cms_controller.rb
=====================================
--- a/app/controllers/my_profile/cms_controller.rb
+++ b/app/controllers/my_profile/cms_controller.rb
@@ -92,6 +92,9 @@ class CmsController < MyProfileController
@article.article_privacy_exceptions = params[:q].split(/,/).map{|n| environment.people.find n.to_i} unless params[:q].nil?
+ @escaped_body = CGI::escapeHTML(@article.body || '')
+ @escaped_abstract = CGI::escapeHTML(@article.abstract || '')
+
@tokenized_children = prepare_to_token_input(
profile.members.includes(:articles_with_access).find_all{ |m|
m.articles_with_access.include?(@article)
=====================================
app/views/shared/_lead_and_body.html.erb
=====================================
--- a/app/views/shared/_lead_and_body.html.erb
+++ b/app/views/shared/_lead_and_body.html.erb
@@ -19,17 +19,27 @@
<div class='article-lead' id="article-lead-<%=lead_id.to_s%>">
+ <% abstract_options = {:style => 'width: 100%; height: 200px;', :class => editor_type} %>
<% if f %>
- <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %>
+ <%= labelled_form_field(_(abstract_label), f.text_area(abstract_method, abstract_options)) %>
<% else %>
- <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, :style => 'width: 100%; height: 200px;', :class => editor_type)) %>
+ <% if @article.kind_of?(Article) %>
+ <%= labelled_form_field(_(abstract_label), text_area_tag("article[abstract]", @escaped_abstract, abstract_options)) %>
+ <% else %>
+ <%= labelled_form_field(_(abstract_label), text_area(object, abstract_method, abstract_options)) %>
+ <% end %>
<% end %>
</div>
<div style="margin-top: 10px;">
+ <% body_options = {:style => 'width: 100%; height: 400px;', :class => editor_type} %>
<% if f %>
- <%= labelled_form_field(_(body_label), f.text_area(body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %>
+ <%= labelled_form_field(_(body_label), f.text_area(body_method, body_options)) %>
<% else %>
- <%= labelled_form_field(_(body_label), text_area(object, body_method, :style => 'width: 100%; height: 400px;', :class => editor_type)) %>
+ <% if @article.kind_of?(Article) %>
+ <%= labelled_form_field(_(body_label), text_area_tag("article[body]", @escaped_body, body_options)) %>
+ <% else %>
+ <%= labelled_form_field(_(body_label), text_area(object, body_method, body_options)) %>
+ <% end %>
<% end %>
</div>
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/6e6ba4e8586c66fcecd37bf7263590aae6289a10...944722f4313f435988e34f9e049f373551a7a997
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150611/1f7533df/attachment-0001.html>
More information about the Noosfero-dev
mailing list