Use safe_join for joining flash messages

stable/9 v9.0.4
Oliver Günther 5 years ago
parent 3746a8a4e4
commit b1f1184da2
No known key found for this signature in database
GPG Key ID: A3A8BDAD7C0C552C
  1. 8
      app/helpers/application_helper.rb
  2. 12
      spec/features/projects/projects_index_spec.rb

@ -137,14 +137,16 @@ module ApplicationHelper
# Renders flash messages
def render_flash_messages
flash
messages = flash
.reject { |k,_| k.start_with? '_' }
.map { |k, v| render_flash_message(k, v) }.join.html_safe
.map { |k, v| render_flash_message(k, v) }
safe_join messages, "\n"
end
def join_flash_messages(messages)
if messages.respond_to?(:join)
messages.join('<br />').html_safe
safe_join(messages, '<br />')
else
messages
end

@ -160,6 +160,18 @@ describe 'Projects index page',
.to have_selector('td', text: news.created_on.strftime('%m/%d/%Y'))
end
end
scenario 'test that flash sortBy is being escaped' do
login_as(admin)
visit projects_path(sortBy: "[[\"><script src='/foobar.js'></script>\",\"\"]]")
error_text = "Orders ><script src='/foobar js'></script> is not set to one of the allowed values. and does not exist."
error_html = "Orders &gt;&lt;script src='/foobar js'&gt;&lt;/script&gt; is not set to one of the allowed values. and does not exist."
expect(page).to have_selector('.flash.error', text: error_text)
error_container = page.find('.flash.error')
expect(error_container['innerHTML']).to include error_html
end
end
end

Loading…
Cancel
Save