@@ -1,7 +1,7 @@ <li class="event-comment<%= cycle(" shade", "") %>" id="comment-<%= comment.id %>"> - <h3><a name="comment-<%= comment.id %>"></a> <%= link_to comment.article.title, :controller => 'articles', :action => 'edit', :id => comment.article %></h3> - <blockquote><p>"<%= truncate strip_tags(comment.body), 255 %>"</p></blockquote> + <h3><a name="comment-<%= comment.id %>"></a> <%= link_to h(comment.article.title), :controller => 'articles', :action => 'edit', :id => comment.article %></h3> + <blockquote><p>"<%= truncate strip_tags(comment.body), :length => 255 %>"</p></blockquote> <span class="meta"> <cite>&mdash; <%= author_link_for comment %><%= %( (#{comment.author_email})) unless comment.author_email.blank? %></cite> app/views/admin/comments/_comment.html.erb @@ -61,6 +61,11 @@ class Admin::CommentsControllerTest < Test::Unit::TestCase assert_response :success end + def test_should_update_comment + post :update, :article_id => '1', :id => '3', :comment => { :body => 'New body text' } + assert_response :success + end + def test_should_approve_comment contents(:welcome_comment).update_attribute(:approved, false) xhr :post, :approve, :article_id => '1', :id => '3' test/functional/admin/comments_controller_test.rb 9a7251f4b1e8e7147935b1cad8d6f126196bf051 David Cato git@crunchyfrog.net http://github.com/emk/mephisto/commit/c05e9ee1c3e6580b0bff72051c294cc955581001 c05e9ee1c3e6580b0bff72051c294cc955581001 2009-03-15T06:35:02-07:00 2009-03-06T14:53:16-08:00 Fix tainted string error when updating comment When updating a comment, a tainted string error was being thrown due to the lack of a h() escape on the article title in the comment partial. A deprecation warning from truncate() in the comment partial has also been resolved. A functional test (test_should_update_comment) for the admin comments controller is also included. ca2ae99ace7993d04f809ae7eab6870a6250ca7f Eric Kidd git@randomhacks.net