@@ -4,6 +4,8 @@ module Resourceful # Sets the default flash message. # This message can be overridden by passing in # an HTTP parameter of the form "_flash[type]" via POST or GET. + # _flash HTTP parameter values will be HTML escaped prior to + # being used. # # You can use this to easily have multiple forms # post to the same create/edit/destroy actions @@ -17,7 +19,9 @@ module Resourceful # TODO: Move this out of here #++ def set_default_flash(type, message) - flash[type] ||= (params[:_flash] && params[:_flash][type]) || message + flash[type] ||= (params[:_flash] && params[:_flash][type]) ? + ERB::Util.h(params[:_flash][type]) : + message end # Sets the default redirect lib/resourceful/default/responses.rb @@ -14,6 +14,13 @@ describe 'Resourceful::Default::Responses', " with a _flash parameter for :error @controller.set_default_flash(:error, "Aw there's no error!") @flash[:error].should == 'Oh no, an error!' end + + it "should set the flash for :error to the parameter's cleansed value when set_default_flash is called on :error" do + evil_script = "<script language=\"javascript\">alert('no good');</script>" + @params[:_flash][:error] = evil_script + @controller.set_default_flash(:error, "Aw there's no error!") + @flash[:error].should == ERB::Util.h(evil_script) + end it "should set the flash for :message to the default value when set_default_flash is called on :message" do @controller.set_default_flash(:message, "All jim dandy!") spec/responses_spec.rb a34bdc3b25092da3cbf90f70e6f5ce90f6b4af3a Nathaniel Bibler git@nathanielbibler.com http://github.com/jcfischer/make_resourceful/commit/26c3e0195e53b1c39bd3f26e7af6ec07c70e487c 26c3e0195e53b1c39bd3f26e7af6ec07c70e487c 2008-04-12T11:12:59-07:00 2008-04-12T11:12:59-07:00 Added HTML escaping for _flash parameters values. e9c08d70c96b9b057dd29c545c8690a97d71a9ed Nathaniel Bibler git@nathanielbibler.com