[Git][noosfero/noosfero][master] not escape HTML from newsletter moderation tasks
Joenio Costa
gitlab at mg.gitlab.com
Wed May 18 14:53:35 BRT 2016
Joenio Costa pushed to branch master at Noosfero / noosfero
Commits:
0834f87c by Joenio Costa at 2016-05-18T14:52:07-03:00
not escape HTML from newsletter moderation tasks
- - - - -
2 changed files:
- + plugins/newsletter/test/integration/safe_strings_test.rb
- plugins/newsletter/views/tasks/newsletter_plugin/_moderate_newsletter_accept_details.html.erb
Changes:
=====================================
plugins/newsletter/test/integration/safe_strings_test.rb
=====================================
--- /dev/null
+++ b/plugins/newsletter/test/integration/safe_strings_test.rb
@@ -0,0 +1,31 @@
+require 'test_helper'
+
+class NewsletterPluginSafeStringsTest < ActionDispatch::IntegrationTest
+
+ should 'not escape HTML from newsletter pending task' do
+ environment = Environment.default
+ environment.enable_plugin('newsletter')
+ person = create_user('john', :environment_id => environment.id, :password => 'test', :password_confirmation => 'test').person
+ person.user.activate
+ environment.add_admin(person)
+
+ blog = fast_create(Blog, :profile_id => person.id)
+ post = fast_create(TextileArticle, :name => 'First post', :profile_id => person.id, :parent_id => blog.id, :body => 'Test')
+ newsletter = NewsletterPlugin::Newsletter.create!(:environment => environment, :person => person, :enabled => true)
+ newsletter.blog_ids = [blog.id]
+ newsletter.save!
+ task = NewsletterPlugin::ModerateNewsletter.create!(
+ :newsletter_id => newsletter.id,
+ :target => environment,
+ :post_ids => [post.id.to_s]
+ )
+
+ login 'john', 'test'
+ get '/myprofile/john/tasks'
+
+ assert_tag :tag => 'input',
+ :attributes => { :type => 'checkbox', :name => "tasks[#{task.id}][task][post_ids][]" },
+ :sibling => { :tag => 'span' }
+ end
+
+end
=====================================
plugins/newsletter/views/tasks/newsletter_plugin/_moderate_newsletter_accept_details.html.erb
=====================================
--- a/plugins/newsletter/views/tasks/newsletter_plugin/_moderate_newsletter_accept_details.html.erb
+++ b/plugins/newsletter/views/tasks/newsletter_plugin/_moderate_newsletter_accept_details.html.erb
@@ -9,9 +9,9 @@
<% input_name = "tasks[#{task.id}][task][post_ids][]" %>
<% post_check_box = hidden_field_tag(input_name, '0') +check_box_tag(input_name, post.id, true) %>
- <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1')%>
- <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1') %>
+ <% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1'.html_safe) %>
+ <% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1'.html_safe) %>
<% end %>
- <%= newsletter_content %>
+ <%= newsletter_content.html_safe %>
</div>
View it on GitLab: https://gitlab.com/noosfero/noosfero/commit/0834f87c5e29abdf0525c080c955effb2952ccc1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20160518/b09e9358/attachment-0001.html>
More information about the Noosfero-dev
mailing list