From 10b62ca681316696953d4585b053125a3d663743 Mon Sep 17 00:00:00 2001 From: Philipp Tessenow Date: Mon, 24 Feb 2014 16:47:22 +0100 Subject: [PATCH 1/3] fix #4858 --- .../work_packages/auto_completes_controller.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/app/controllers/work_packages/auto_completes_controller.rb b/app/controllers/work_packages/auto_completes_controller.rb index 069d1bb578..dee5a4a623 100644 --- a/app/controllers/work_packages/auto_completes_controller.rb +++ b/app/controllers/work_packages/auto_completes_controller.rb @@ -27,6 +27,8 @@ # See doc/COPYRIGHT.rdoc for more details. #++ +require 'rack/utils' + class WorkPackages::AutoCompletesController < ApplicationController before_filter :find_project @@ -55,9 +57,9 @@ class WorkPackages::AutoCompletesController < ApplicationController def wp_hash_with_string @work_packages.map do |wp| - hash = wp.attributes - hash['to_s'] = wp.to_s - hash + Hash[ wp.attributes.map do |key,value| + [ key, Rack::Utils.escape_html(value) ] + end << ['to_s', Rack::Utils.escape_html(wp.to_s)] ] end end From 8fe318f546dda3fba6657f1e6f38b1e2e1fa03a7 Mon Sep 17 00:00:00 2001 From: Philipp Tessenow Date: Mon, 24 Feb 2014 18:23:33 +0100 Subject: [PATCH 2/3] add specs for escaping auto_completion --- .../auto_completes_controller_spec.rb | 25 +++++++++- .../work_package/auto_complete/index_spec.rb | 49 +++++++++++++++++++ 2 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 spec/views/work_package/auto_complete/index_spec.rb diff --git a/spec/controllers/work_packages/auto_completes_controller_spec.rb b/spec/controllers/work_packages/auto_completes_controller_spec.rb index 6c8de93e49..2cbdb0d746 100644 --- a/spec/controllers/work_packages/auto_completes_controller_spec.rb +++ b/spec/controllers/work_packages/auto_completes_controller_spec.rb @@ -117,6 +117,27 @@ describe WorkPackages::AutoCompletesController do end end + describe "returns work package for given id" do + render_views + let(:work_package_4) { FactoryGirl.create(:work_package, + id: 666, + subject: "", + project: project) } + let(:expected_values) { work_package_4 } + + before { get :index, + project_id: project.id, + q: work_package_4.id, + format: :json } + + it_behaves_like "successful response" + it_behaves_like "contains expected values" + + it "should escape html" do + response.body.should_not include '') } + + before do + params[:format] = 'json' + end + + it 'escapes work package subject in auto-completion' do + assign :work_packages, [work_package] + render + # there are items + response.should have_selector "li" + # but there is not script tag + response.should_not have_selector "script" + # normal text should be included + response.should include "do not alert this" + end +end From 217caa185659aa677eb58f86ae9a60a8c6736b45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=81=A4Philipp=20Tessenow?= Date: Tue, 25 Feb 2014 09:12:30 +0100 Subject: [PATCH 3/3] no need for params[:format] = :json in the autocomplete view spec --- spec/views/work_package/auto_complete/index_spec.rb | 4 ---- 1 file changed, 4 deletions(-) diff --git a/spec/views/work_package/auto_complete/index_spec.rb b/spec/views/work_package/auto_complete/index_spec.rb index a47197ea21..56b7f31b97 100644 --- a/spec/views/work_package/auto_complete/index_spec.rb +++ b/spec/views/work_package/auto_complete/index_spec.rb @@ -32,10 +32,6 @@ describe 'work_packages/auto_completes/index.html.erb' do let(:work_package) { FactoryGirl.build( :work_package, :subject => '') } - before do - params[:format] = 'json' - end - it 'escapes work package subject in auto-completion' do assign :work_packages, [work_package] render