[Git][noosfero/noosfero][master] Not escape html in people suggestions

Victor Costa gitlab at mg.gitlab.com
Thu Aug 4 16:56:35 BRT 2016 

Victor Costa pushed to branch master at Noosfero / noosfero


Commits:
f16ec7f4 by Victor Costa at 2016-08-04T16:55:55-03:00
Not escape html in people suggestions

- - - - -


2 changed files:

- app/helpers/application_helper.rb
- app/views/shared/_profile_connections.html.erb


Changes:

=====================================
app/helpers/application_helper.rb
=====================================
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1183,10 +1183,10 @@ module ApplicationHelper
     end
 
     controller_target = suggestion.suggestion_type == 'Person' ? :friends : :memberships
-    profiles << link_to("<big> +#{suggestion.profile_connections.count - 4}</big>", :controller => controller_target, :action => :connections, :id => suggestion.suggestion_id) if suggestion.profile_connections.count > 4
+    profiles << link_to("<big> +#{suggestion.profile_connections.count - 4}</big>".html_safe, :controller => controller_target, :action => :connections, :id => suggestion.suggestion_id) if suggestion.profile_connections.count > 4
 
     if profiles.present?
-      content_tag(:div, profiles.join , :class => 'profile-connections')
+      content_tag(:div, profiles.safe_join , :class => 'profile-connections')
     else
       ''
     end


=====================================
app/views/shared/_profile_connections.html.erb
=====================================
--- a/app/views/shared/_profile_connections.html.erb
+++ b/app/views/shared/_profile_connections.html.erb
@@ -4,7 +4,7 @@
     <ul class="profile-list">
       <% profiles.each do |profile| %>
         <li>
-        <%= link_to_profile profile_image(profile) + '<br/>' + profile.short_name,
+        <%= link_to_profile profile_image(profile) + '<br/>'.html_safe + profile.short_name,
                             profile.identifier, :class => 'profile-link' %>
         </li>
       <% end %>



View it on GitLab: https://gitlab.com/noosfero/noosfero/commit/f16ec7f40f8a718f3860db79ebf6a17ce30f462e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160804/ddd34ef6/attachment-0001.html>

More information about the Noosfero-dev mailing list