[Git][noosfero/noosfero][master] not escape HTML on LinkListBlock edition

Joenio Costa gitlab at mg.gitlab.com
Mon May 16 17:40:09 BRT 2016 

Joenio Costa pushed to branch master at Noosfero / noosfero


Commits:
db91caf2 by Joenio Costa at 2016-05-16T17:39:44-03:00
not escape HTML on LinkListBlock edition

- - - - -


3 changed files:

- app/models/link_list_block.rb
- app/views/box_organizer/_icon_selector.html.erb
- test/integration/safe_strings_test.rb


Changes:

=====================================
app/models/link_list_block.rb
=====================================
--- a/app/models/link_list_block.rb
+++ b/app/models/link_list_block.rb
@@ -81,10 +81,8 @@ class LinkListBlock < Block
     end
   end
 
-  def icons_options
-    ICONS.map do |i|
-      "<span title=\"#{i[1]}\" class=\"icon-#{i[0]}\" onclick=\"changeIcon(this, '#{i[0]}')\"></span>".html_safe
-    end
+  def icons
+    ICONS
   end
 
 end


=====================================
app/views/box_organizer/_icon_selector.html.erb
=====================================
--- a/app/views/box_organizer/_icon_selector.html.erb
+++ b/app/views/box_organizer/_icon_selector.html.erb
@@ -2,6 +2,8 @@
   <%= hidden_field_tag 'block[links][][icon]', icon %>
   <span class='icon-<%= icon %>' style='display:block; width:16px; height:16px;'></span>
   <div class="icon-selector" style='display:none;'>
-     <%= @block.icons_options.join %>
+    <% @block.icons.map do |i| %>
+      <%= content_tag('span', '', :title => i[1], :class => "icon-#{i[0]}", :onclick => "changeIcon(this, '#{i[0]}')") %>
+    <% end %>
   </div>
 </div>


=====================================
test/integration/safe_strings_test.rb
=====================================
--- a/test/integration/safe_strings_test.rb
+++ b/test/integration/safe_strings_test.rb
@@ -163,4 +163,16 @@ class SafeStringsTest < ActionDispatch::IntegrationTest
     get url_for(action: :edit, controller: :profile_design, profile: person.identifier, id: block.id)
     assert_select '.block-config-options .image-data-line'
   end
+
+  should 'not escape icons options editing link_list block' do
+    create_user('jimi', :password => 'test', :password_confirmation => 'test').activate
+    profile = Person['jimi']
+    login 'jimi', 'test'
+    profile.blocks.each(&:destroy)
+    profile.boxes.first.blocks << LinkListBlock.new
+    block = profile.boxes.first.blocks.first
+    get "/myprofile/#{profile.identifier}/profile_design/edit/#{block.id}"
+    assert_select '.icon-selector .icon-edit'
+  end
+
 end



View it on GitLab: https://gitlab.com/noosfero/noosfero/commit/db91caf20b163543e4a81a12e507a188f83b5a9d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160516/50e946e3/attachment-0001.html>

More information about the Noosfero-dev mailing list