[Git][noosfero/noosfero][master] CustomFormsPlugin: should not escape javascripts elements

Leandro Nunes gitlab at mg.gitlab.com
Mon Jul 4 17:39:32 BRT 2016 

Leandro Nunes pushed to branch master at Noosfero / noosfero


Commits:
41f4497b by Leandro Nunes dos Santos at 2016-07-04T17:39:08-03:00
CustomFormsPlugin: should not escape javascripts elements

- - - - -


7 changed files:

- plugins/custom_forms/lib/custom_forms_plugin/helper.rb
- plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
- plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
- plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
- plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
- plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
- plugins/custom_forms/views/shared/_form_submission.html.erb


Changes:

=====================================
plugins/custom_forms/lib/custom_forms_plugin/helper.rb
=====================================
--- a/plugins/custom_forms/lib/custom_forms_plugin/helper.rb
+++ b/plugins/custom_forms/lib/custom_forms_plugin/helper.rb
@@ -71,7 +71,7 @@ module CustomFormsPlugin::Helper
   def display_custom_field(field, submission, form)
     sanitized_name = ActionView::Base.white_list_sanitizer.sanitize field.name
     answer = submission.answers.select{|answer| answer.field == field}.first
-    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form)
+    field_tag = send("display_#{type_for_options(field.class)}",field, answer, form).html_safe
     if field.mandatory? && submission.id.nil?
       required(labelled_form_field(sanitized_name, field_tag))
     else


=====================================
plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
=====================================
--- a/plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
+++ b/plugins/custom_forms/views/custom_forms_plugin_myprofile/_field.html.erb
@@ -12,7 +12,7 @@
   <%= f.hidden_field(:position) %>
 
   <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{CGI::escapeHTML(_('Are you sure you want to remove this field?').to_json)})" %>
+  <%= button_to_function :delete, _('Remove field'), "customFormsPlugin.removeFieldBox(this, #{_('Are you sure you want to remove this field?').to_json})" %>
   <%= yield %>
 </div>
 </fieldset>


=====================================
plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
=====================================
--- a/plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
+++ b/plugins/custom_forms/views/custom_forms_plugin_myprofile/_form.html.erb
@@ -51,8 +51,8 @@
 </ul>
 
 <div class="addition-buttons">
-  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json)}); return false")%>
-  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{CGI::escapeHTML(html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json)}); return false")%>
+  <%= button(:add, _('Add a new text field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::TextField).to_json}); return false")%>
+  <%= button(:add, _('Add a new select field'), '#', :onclick => "customFormsPlugin.addFields(this, 'fields', #{html_for_field(f, :fields, CustomFormsPlugin::SelectField).to_json}); return false")%>
 </div>
 
 <%= button_bar do %>


=====================================
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
=====================================
--- a/plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
+++ b/plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_alternative.html.erb
@@ -7,6 +7,6 @@
 
   <td>
     <%= f.hidden_field :_destroy, :class => 'destroy-field' %>
-    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{CGI::escapeHTML(_('Are you sure you want to remove this alternative?').to_json)})", :class => 'remove-field', :title => _('Remove alternative') %>
+    <%= button_to_function_without_text :remove, _('Remove alternative'), "customFormsPlugin.removeAlternative(this, #{_('Are you sure you want to remove this alternative?').to_json})", :class => 'remove-field', :title => _('Remove alternative') %>
   </td>
 </tr>


=====================================
plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
=====================================
--- a/plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
+++ b/plugins/custom_forms/views/custom_forms_plugin_myprofile/custom_forms_plugin/_select_field.html.erb
@@ -22,7 +22,7 @@
     <tfoot>
     <tr class="addition-buttons">
       <td colspan="3">
-      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{CGI::escapeHTML(html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json)}); return false") %>
+      <%= button(:add, _('Add a new alternative'), '#', :onclick => "customFormsPlugin.addFields(this, 'alternatives', #{html_for_field(f, :alternatives, CustomFormsPlugin::Alternative).to_json}); return false") %>
       </td>
     </tr>
     </tfoot>


=====================================
plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
=====================================
--- a/plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
+++ b/plugins/custom_forms/views/custom_forms_plugin_profile/show.html.erb
@@ -1,7 +1,7 @@
 <div id="custom-forms-plugin_submission">
 
 <h1><%= @form.name %></h1>
-<p><%= @form.description %></p>
+<p><%= @form.description.html_safe %></p>
 
 <% if @submission.id.nil? %>
   <% if @form.expired? %>


=====================================
plugins/custom_forms/views/shared/_form_submission.html.erb
=====================================
--- a/plugins/custom_forms/views/shared/_form_submission.html.erb
+++ b/plugins/custom_forms/views/shared/_form_submission.html.erb
@@ -1,5 +1,5 @@
 <% self.extend(CustomFormsPlugin::Helper) %>
 
 <% @form.fields.each do |field| %>
-  <%= display_custom_field(field, @submission, f.object_name) %>
+  <%= display_custom_field(field, @submission, f.object_name).html_safe %>
 <% end %>



View it on GitLab: https://gitlab.com/noosfero/noosfero/commit/41f4497bfd44d87c6c0e3cbf562360aaa1aae2c6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160704/8655cb63/attachment-0001.html>

More information about the Noosfero-dev mailing list