diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 3f32fa18af..bc45edbd66 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -137,14 +137,16 @@ module ApplicationHelper
# Renders flash messages
def render_flash_messages
- flash
+ messages = flash
.reject { |k,_| k.start_with? '_' }
- .map { |k, v| render_flash_message(k, v) }.join.html_safe
+ .map { |k, v| render_flash_message(k, v) }
+
+ safe_join messages, "\n"
end
def join_flash_messages(messages)
if messages.respond_to?(:join)
- messages.join('
').html_safe
+ safe_join(messages, '
')
else
messages
end
diff --git a/spec/features/projects/projects_index_spec.rb b/spec/features/projects/projects_index_spec.rb
index 15dd7ad9b9..f037556321 100644
--- a/spec/features/projects/projects_index_spec.rb
+++ b/spec/features/projects/projects_index_spec.rb
@@ -160,6 +160,18 @@ describe 'Projects index page',
.to have_selector('td', text: news.created_on.strftime('%m/%d/%Y'))
end
end
+
+ scenario 'test that flash sortBy is being escaped' do
+ login_as(admin)
+ visit projects_path(sortBy: "[[\">\",\"\"]]")
+
+ error_text = "Orders > is not set to one of the allowed values. and does not exist."
+ error_html = "Orders ><script src='/foobar js'></script> is not set to one of the allowed values. and does not exist."
+ expect(page).to have_selector('.flash.error', text: error_text)
+
+ error_container = page.find('.flash.error')
+ expect(error_container['innerHTML']).to include error_html
+ end
end
end