noosfero | Background-image references filename without proper escaping (#279)
Rodrigo Souto
gitlab at mg.gitlab.com
Tue Aug 8 12:55:05 BRT 2017
New Issue was created.
Issue 279: https://gitlab.com/noosfero/noosfero/issues/279
Author: Rodrigo Souto
Assignee:
After this major change 83f5d54e, UploadedFiles now can have their names with accents, spaces and many other symbols that can break the file url reference. I noticed this happening with the use of method `public_filename` to fill the `background-image` of some elements. See below:
```
# app/views/content_viewer/_uploaded_file.html.erb
<%= link_to '',
uploaded_file.view_url,
:class => 'image',
:style => 'background-image: url(%s)'% [Noosfero.root, uploaded_file.public_filename(:thumb)].join
%>
```
This code is generating broken url references, like:
```
<a class="image" style="background-image: url(/thumbnails/oceb/0043/9509/Direcoop 2017 Vitoria da Conquista (10)_thumb.JPG)" href="http://ola.coop.br/direcoop/gallery/2017/regiao-sudoeste-da-bahia-04.08.2017/direcoop-2017-vitoria-da-conquista-10.jpg?view=true"></a>
```
See more examples here: http://ola.coop.br/direcoop/gallery/2017/regiao-sudoeste-da-bahia-04.08.2017?npage=1
Since filenames are not sanitized anymore, we should provide a properly escaped method to be used in such cases.
---
Reply to this email directly or view it on GitLab: https://gitlab.com/noosfero/noosfero/issues/279
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20170808/a5d89de0/attachment.html>
More information about the Noosfero-dev
mailing list