Fixed tag xss escape, added acts-as-taggable-on gem and fixed tag fil…

…tering
fatfreecrm · Nov 16, 2011 · 85eaec6 · 85eaec6
1 parent d757590
commit 85eaec6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 9 deletions.
diff --git a/Gemfile b/Gemfile
@@ -11,6 +11,7 @@ gem "pg", ">= 0.9.0"
 
 gem 'authlogic',           '~> 3.0.3'
 gem 'acts_as_commentable', '>= 3.0.1'
+gem 'acts-as-taggable-on', '>= 2.0.6'
 gem 'haml',                '>= 3.1.1'
 gem 'sass',                '>= 3.1.1'
 gem 'paperclip',           '~> 2.3.6'
@@ -37,7 +38,6 @@ group :test do
   gem 'factory_girl_rails', '~> 1.0.1'
 end
 
-
 # Gem watch list:
 #---------------------------------------------------------------------
 # gem 'authlogic',         :git => 'git://github.com/crossroads/authlogic.git', :branch => 'rails3'
@@ -53,4 +53,3 @@ end
 # is_paranoid,             git://github.com/theshortcut/is_paranoid.git
 # prototype_legacy_helper, git://github.com/rails/prototype_legacy_helper.git
 # responds_to_parent,      git://github.com/markcatley/responds_to_parent.git
-
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -28,6 +28,8 @@ GEM
       activemodel (= 3.0.7)
       activesupport (= 3.0.7)
     activesupport (3.0.7)
+    acts-as-taggable-on (2.1.1)
+      rails
     acts_as_commentable (3.0.1)
     acts_as_list (0.1.4)
     annotate (2.4.0)
@@ -134,6 +136,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
+  acts-as-taggable-on (>= 2.0.6)
   acts_as_commentable (>= 3.0.1)
   acts_as_list (~> 0.1.4)
   annotate (>= 2.4.0)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -236,8 +236,9 @@ def respond_to_related_not_found(related, *types)
   #----------------------------------------------------------------------------
   def get_list_of_records(klass, options = {})
     items = klass.name.tableize
-    self.current_page  = options[:page]  if options[:page]
-    self.current_query, tags = parse_query_and_tags(context[:query])
+    self.current_page = options[:page]                        if options[:page]
+    query, tags       = parse_query_and_tags(options[:query]) if options[:query]
+    self.current_query = query
 
     records = {
       :user  => @current_user,
@@ -260,7 +261,7 @@ def get_list_of_records(klass, options = {})
 
     scope = klass.my(records)
     scope = scope.state(filter)                   if filter.present?
-    scope = scope.search(current_query)           if current_query.present?
+    scope = scope.search(query)                   if query.present?
     scope = scope.tagged_with(tags, :on => :tags) if tags.present?
     scope = scope.unscoped                        if wants.csv?
     scope = scope.paginate(pages)                 if wants.html? || wants.js? || wants.xml?
@@ -297,7 +298,7 @@ def current_query
   #----------------------------------------------------------------------------
   def parse_query_and_tags(search_string)
     query, tags = [], []
-    search_string.scan(/[\w@\-\.'#]+/).each do |token|
+    search_string.scan(/[\w@\-\.#]+/).each do |token|
       if token.starts_with?("#")
         tags << token[1 .. -1]
       else
@@ -307,4 +308,3 @@ def parse_query_and_tags(search_string)
     [ query.join(" "), tags.join(", ") ]
   end
 end
-
diff --git a/app/helpers/tags_helper.rb b/app/helpers/tags_helper.rb
@@ -29,15 +29,15 @@ def tags_for_index(model)
         query += " #{hashtag}"
       end
       arr << link_to_function(tag, "crm.search_tagged('#{query}', '#{model.class.to_s.tableize}')", :title => tag)
-    end.join(" ")
+    end.join(" ").html_safe
   end
 
   # Generate tag links for the asset landing page (shown on a sidebar).
   #----------------------------------------------------------------------------
   def tags_for_show(model)
     model.tag_list.inject([]) do |arr, tag|
       arr << link_to(tag, url_for(:action => "tagged", :id => tag), :title => tag)
-    end.join(" ")
+    end.join(" ").html_safe
   end
 
   # Return asset tags to be built manually if the asset failed validation.