@@ -16,9 +16,12 @@ module InPlaceEditing module ClassMethods def in_place_edit_for(object, attribute, options = {}) define_method("set_#{object}_#{attribute}") do + unless [:post, :put].include?(request.method) then + return render(:text => 'Method not allowed', :status => 405) + end @item = object.to_s.camelize.constantize.find(params[:id]) @item.update_attribute(attribute, params[:value]) - render :text => @item.send(attribute).to_s + render :text => CGI::escapeHTML(@item.send(attribute).to_s) end end end lib/in_place_editing.rb @@ -69,10 +69,12 @@ module InPlaceMacrosHelper # Renders the value of the specified object and method with in-place editing capabilities. def in_place_editor_field(object, method, tag_options = {}, in_place_editor_options = {}) - tag = ::ActionView::Helpers::InstanceTag.new(object, method, self) - tag_options = {:tag => "span", :id => "#{object}_#{method}_#{tag.object.id}_in_place_editor", :class => "in_place_editor_field"}.merge!(tag_options) - in_place_editor_options[:url] = in_place_editor_options[:url] || url_for({ :action => "set_#{object}_#{method}", :id => tag.object.id }) - tag.to_content_tag(tag_options.delete(:tag), tag_options) + - in_place_editor(tag_options[:id], in_place_editor_options) + instance_tag = ::ActionView::Helpers::InstanceTag.new(object, method, self) + tag_options = {:tag => "span", + :id => "#{object}_#{method}_#{instance_tag.object.id}_in_place_editor", + :class => "in_place_editor_field"}.merge!(tag_options) + in_place_editor_options[:url] = in_place_editor_options[:url] || url_for({ :action => "set_#{object}_#{method}", :id => instance_tag.object.id }) + tag = content_tag(tag_options.delete(:tag), h(instance_tag.value(instance_tag.object)),tag_options) + return tag + in_place_editor(tag_options[:id], in_place_editor_options) end end lib/in_place_macros_helper.rb afb68bba782f8ae0ea56494f200f1fe9c811e164 Pawel Stradomski pstradomski@gmail.com http://github.com/rails/in_place_editing/commit/8c5487e4620fe02074ff48ea27fecac2df6e7f52 8c5487e4620fe02074ff48ea27fecac2df6e7f52 2009-02-27T18:42:39-08:00 2009-02-23T13:14:06-08:00 Security fixes for XSS and CSRF issues. Signed-off-by: Michael Koziarski <michael@koziarski.com> 5f99e8664a323a636fed2be0b00f9a8322da0bbc Michael Koziarski michael@koziarski.com