diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 3f32fa18af..bc45edbd66 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -137,14 +137,16 @@ module ApplicationHelper # Renders flash messages def render_flash_messages - flash + messages = flash .reject { |k,_| k.start_with? '_' } - .map { |k, v| render_flash_message(k, v) }.join.html_safe + .map { |k, v| render_flash_message(k, v) } + + safe_join messages, "\n" end def join_flash_messages(messages) if messages.respond_to?(:join) - messages.join('
').html_safe + safe_join(messages, '
') else messages end diff --git a/spec/features/projects/projects_index_spec.rb b/spec/features/projects/projects_index_spec.rb index 15dd7ad9b9..f037556321 100644 --- a/spec/features/projects/projects_index_spec.rb +++ b/spec/features/projects/projects_index_spec.rb @@ -160,6 +160,18 @@ describe 'Projects index page', .to have_selector('td', text: news.created_on.strftime('%m/%d/%Y')) end end + + scenario 'test that flash sortBy is being escaped' do + login_as(admin) + visit projects_path(sortBy: "[[\">\",\"\"]]") + + error_text = "Orders > is not set to one of the allowed values. and does not exist." + error_html = "Orders ><script src='/foobar js'></script> is not set to one of the allowed values. and does not exist." + expect(page).to have_selector('.flash.error', text: error_text) + + error_container = page.find('.flash.error') + expect(error_container['innerHTML']).to include error_html + end end end