[Git][noosfero/noosfero][master] not escape HTML on LinkListBlock edition
Joenio Costa
gitlab at mg.gitlab.com
Mon May 16 17:40:09 BRT 2016
Joenio Costa pushed to branch master at Noosfero / noosfero
Commits:
db91caf2 by Joenio Costa at 2016-05-16T17:39:44-03:00
not escape HTML on LinkListBlock edition
- - - - -
3 changed files:
- app/models/link_list_block.rb
- app/views/box_organizer/_icon_selector.html.erb
- test/integration/safe_strings_test.rb
Changes:
=====================================
app/models/link_list_block.rb
=====================================
--- a/app/models/link_list_block.rb
+++ b/app/models/link_list_block.rb
@@ -81,10 +81,8 @@ class LinkListBlock < Block
end
end
- def icons_options
- ICONS.map do |i|
- "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
- end
+ def icons
+ ICONS
end
end
=====================================
app/views/box_organizer/_icon_selector.html.erb
=====================================
--- a/app/views/box_organizer/_icon_selector.html.erb
+++ b/app/views/box_organizer/_icon_selector.html.erb
@@ -2,6 +2,8 @@
<%= hidden_field_tag 'block[links][][icon]', icon %>
<span class='icon-<%= icon %>' style='display:block; width:16px; height:16px;'></span>
<div class="icon-selector" style='display:none;'>
- <%= @block.icons_options.join %>
+ <% @block.icons.map do |i| %>
+ <%= content_tag('span', '', :title => i[1], :class => "icon-#{i[0]}", :onclick => "changeIcon(this, '#{i[0]}')") %>
+ <% end %>
</div>
</div>
=====================================
test/integration/safe_strings_test.rb
=====================================
--- a/test/integration/safe_strings_test.rb
+++ b/test/integration/safe_strings_test.rb
@@ -163,4 +163,16 @@ class SafeStringsTest < ActionDispatch::IntegrationTest
get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id)
assert_select '.block-config-options .image-data-line'
end
+
+ should 'not escape icons options editing link_list block' do
+ create_user('jimi', :password => 'test', :password_confirmation => 'test').activate
+ profile = Person['jimi']
+ login 'jimi', 'test'
+ profile.blocks.each(&:destroy)
+ profile.boxes.first.blocks << LinkListBlock.new
+ block = profile.boxes.first.blocks.first
+ get "/myprofile/#{profile.identifier}/profile_design/edit/#{block.id}"
+ assert_select '.icon-selector .icon-edit'
+ end
+
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/commit/db91caf20b163543e4a81a12e507a188f83b5a9d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160516/50e946e3/attachment-0001.html>
More information about the Noosfero-dev
mailing list