forked from technoweenie/mephisto
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Security: Escape strings where recommended by SafeERB
The SafeERB plugin attempts to automatically detect view code which fails to properly escape HTML. You can find information here: http://wiki.rubyonrails.com/rails/pages/Safe+ERB I'm using a version of SafeERB modified by Matthew Bass, which can be found on github: http://github.com/pelargir/safe_erb/tree/master My local copy is modified to avoid some false positives, and isn't ready for production use yet. But here's the first batch of changes it recommended. Note that some of these changes weren't really necessary-- some of the values we're wrapping can't actually contain HTML metacharacters, at least not in normal locales. Also note that SafeERB is only useful for the normal view code in places like /admin, and that it won't help us with Liquid plugins in the front end. But it's a start.
- Loading branch information
Showing
8 changed files
with
22 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
<div class="group"> | ||
<dl> | ||
<dt> | ||
<%= label_tag :data, labels[:data] %> | ||
<%= label_tag :data, h(labels[:data]) %> | ||
<p class="hint"><%= hint %></p> | ||
</dt> | ||
<dd><%= text_area_tag :data, h(attachment && attachment.file? ? attachment.read : params[:data]), :class => 'fat', :rows => 20 %></dd> | ||
<% if controller.action_name == 'index' -%> | ||
<dt> | ||
<%= label_tag :filename, labels[:filename] %> | ||
<%= label_tag :filename, h(labels[:filename]) %> | ||
<p class="hint">You can create one of three types of files: Liquid (*.liquid), CSS (*.css), and Javascript (*.js).</p> | ||
</dt> | ||
<dd><%= text_field_tag :filename, params[:filename] %></dd> | ||
<% end -%> | ||
</dl> | ||
</div> | ||
</div> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,12 @@ | ||
<li class="theme<%= ' current' if theme.current? %>" id="theme-<%= theme_counter %>"> | ||
<li class="theme<%=h ' current' if theme.current? %>" id="theme-<%= theme_counter %>"> | ||
<h3> | ||
<span title="stored in /<%= theme.name %>"><%=h theme.title %></span> | ||
<span title="stored in /<%=h theme.name %>"><%=h theme.title %></span> | ||
<span class="thememeta"> | ||
<% unless theme.version.blank? -%>v<%=h theme.version %> |<% end -%> | ||
by <%= theme.linked_author.blank? ? 'unknown' : theme.linked_author %> | ||
by <%=h theme.linked_author.blank? ? 'unknown' : theme.linked_author %> | ||
</span> | ||
</h3> | ||
<a id="theme-dialog-<%= theme_counter %>" class="theme_dialog"> | ||
<img src="<%= url_for(:controller => '/admin/themes', :action => 'preview_for', :id => theme) %>" alt="Theme preview" title="<%=h theme.title %> (v<%=h theme.version %>)" /> | ||
</a> | ||
</li> | ||
</li> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters