Merge branch 'release/3.0' into dev

Conflicts:
	Gemfile.lock
	extra/svn/OpenProjectAuthentication.pm
	lib/open_project/version.rb
	spec/controllers/sys_controller_spec.rb
	spec/controllers/versions_controller_spec.rb
pull/1655/head
Jens Ulferts 10 years ago
commit 87d05c35ee
  1. 2
      Gemfile
  2. 52
      Gemfile.lock
  3. 17
      spec/controllers/versions_controller_spec.rb

@ -44,7 +44,7 @@ end
source 'https://rubygems.org'
gem "rails", "~> 3.2.18"
gem "rails", "~> 3.2.19"
gem "coderay", "~> 1.0.5"
gem "rubytree", "~> 0.8.3"

@ -65,12 +65,12 @@ GIT
GEM
remote: https://rubygems.org/
specs:
actionmailer (3.2.18)
actionpack (= 3.2.18)
actionmailer (3.2.19)
actionpack (= 3.2.19)
mail (~> 2.5.4)
actionpack (3.2.18)
activemodel (= 3.2.18)
activesupport (= 3.2.18)
actionpack (3.2.19)
activemodel (= 3.2.19)
activesupport (= 3.2.19)
builder (~> 3.0.0)
erubis (~> 2.7.0)
journey (~> 1.0.4)
@ -78,20 +78,20 @@ GEM
rack-cache (~> 1.2)
rack-test (~> 0.6.1)
sprockets (~> 2.2.1)
activemodel (3.2.18)
activesupport (= 3.2.18)
activemodel (3.2.19)
activesupport (= 3.2.19)
builder (~> 3.0.0)
activerecord (3.2.18)
activemodel (= 3.2.18)
activesupport (= 3.2.18)
activerecord (3.2.19)
activemodel (= 3.2.19)
activesupport (= 3.2.19)
arel (~> 3.0.2)
tzinfo (~> 0.3.29)
activerecord-tableless (1.3.3)
activerecord (>= 2.3.0)
activeresource (3.2.18)
activemodel (= 3.2.18)
activesupport (= 3.2.18)
activesupport (3.2.18)
activeresource (3.2.19)
activemodel (= 3.2.19)
activesupport (= 3.2.19)
activesupport (3.2.19)
i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0)
acts_as_list (0.2.0)
@ -308,27 +308,27 @@ GEM
rack_session_access (0.1.1)
builder (>= 2.0.0)
rack (>= 1.0.0)
rails (3.2.18)
actionmailer (= 3.2.18)
actionpack (= 3.2.18)
activerecord (= 3.2.18)
activeresource (= 3.2.18)
activesupport (= 3.2.18)
rails (3.2.19)
actionmailer (= 3.2.19)
actionpack (= 3.2.19)
activerecord (= 3.2.19)
activeresource (= 3.2.19)
activesupport (= 3.2.19)
bundler (~> 1.0)
railties (= 3.2.18)
railties (= 3.2.19)
rails-dev-tweaks (0.6.1)
actionpack (~> 3.1)
railties (~> 3.1)
rails_autolink (1.1.0)
rails (> 3.1)
railties (3.2.18)
actionpack (= 3.2.18)
activesupport (= 3.2.18)
railties (3.2.19)
actionpack (= 3.2.19)
activesupport (= 3.2.19)
rack-ssl (~> 1.3.2)
rake (>= 0.8.7)
rdoc (~> 3.4)
thor (>= 0.14.6, < 2.0)
rake (10.3.1)
rake (10.3.2)
rb-fsevent (0.9.4)
rb-inotify (0.9.4)
ffi (>= 0.5.0)
@ -492,7 +492,7 @@ DEPENDENCIES
rack-protection!
rack-test (~> 0.6.2)
rack_session_access
rails (~> 3.2.18)
rails (~> 3.2.19)
rails-dev-tweaks (~> 0.6.1)
rails_autolink
rb-readline (~> 0.5.1)

@ -159,24 +159,19 @@ describe VersionsController do
it "returns updated select box with new version" do
version = Version.find_by_name('test_add_version_from_issue_form')
pattern = "Element.replace\(\"work_package_fixed_version_id\","
# select tag with valid html
pattern << " \"<select id=\\\"work_package_fixed_version_id\\\" name=\\\"work_package[fixed_version_id]\\\">"
# empty option tag with valid html
pattern << "<option></option>"
# selected option tag for the new version with valid html
pattern << "<option value=\\\"#{version.id}\\\" selected=\\\"selected\\\">#{version.name}</option>"
pattern << "</select>\"\);"
select_substring = "select id=\\\"work_package_fixed_version_id\\\" name=\\\"work_package[fixed_version_id]\\\""
# selected option tag for the new version
option_substring = "option value=\\\"#{version.id}\\\" selected=\\\"selected\\\""
expect(response.body).to eq(pattern)
response.body.include?(select_substring).should be_true
response.body.include?(option_substring).should be_true
end
it "escapes potentially harmful html" do
harmful = "test <script>alert('pwned');</script>"
post :create, :project_id => project.id, :version => {:name => harmful}, :format => :js
version = Version.last
expect(response.body.include?("lt;script&gt;alert(&#x27;pwned&#x27;);&lt;/script&gt;")).to be_true
expect(response.body).to_not include("<script>alert('pwned');</script>")
end
end
end

Loading…
Cancel
Save