From 85eaec6cabc1a1724f42d63ac00957133180837b Mon Sep 17 00:00:00 2001 From: Ben Tillman Date: Wed, 16 Nov 2011 11:31:46 +0800 Subject: [PATCH] Fixed tag xss escape, added acts-as-taggable-on gem and fixed tag filtering --- Gemfile | 3 +-- Gemfile.lock | 3 +++ app/controllers/application_controller.rb | 10 +++++----- app/helpers/tags_helper.rb | 4 ++-- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/Gemfile b/Gemfile index 6317cdbaae..7e04ca44e5 100644 --- a/Gemfile +++ b/Gemfile @@ -11,6 +11,7 @@ gem "pg", ">= 0.9.0" gem 'authlogic', '~> 3.0.3' gem 'acts_as_commentable', '>= 3.0.1' +gem 'acts-as-taggable-on', '>= 2.0.6' gem 'haml', '>= 3.1.1' gem 'sass', '>= 3.1.1' gem 'paperclip', '~> 2.3.6' @@ -37,7 +38,6 @@ group :test do gem 'factory_girl_rails', '~> 1.0.1' end - # Gem watch list: #--------------------------------------------------------------------- # gem 'authlogic', :git => 'git://github.com/crossroads/authlogic.git', :branch => 'rails3' @@ -53,4 +53,3 @@ end # is_paranoid, git://github.com/theshortcut/is_paranoid.git # prototype_legacy_helper, git://github.com/rails/prototype_legacy_helper.git # responds_to_parent, git://github.com/markcatley/responds_to_parent.git - diff --git a/Gemfile.lock b/Gemfile.lock index c1ff8d6dbd..e197699792 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -28,6 +28,8 @@ GEM activemodel (= 3.0.7) activesupport (= 3.0.7) activesupport (3.0.7) + acts-as-taggable-on (2.1.1) + rails acts_as_commentable (3.0.1) acts_as_list (0.1.4) annotate (2.4.0) @@ -134,6 +136,7 @@ PLATFORMS ruby DEPENDENCIES + acts-as-taggable-on (>= 2.0.6) acts_as_commentable (>= 3.0.1) acts_as_list (~> 0.1.4) annotate (>= 2.4.0) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8d46ae6367..df9bea017b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -236,8 +236,9 @@ def respond_to_related_not_found(related, *types) #---------------------------------------------------------------------------- def get_list_of_records(klass, options = {}) items = klass.name.tableize - self.current_page = options[:page] if options[:page] - self.current_query, tags = parse_query_and_tags(context[:query]) + self.current_page = options[:page] if options[:page] + query, tags = parse_query_and_tags(options[:query]) if options[:query] + self.current_query = query records = { :user => @current_user, @@ -260,7 +261,7 @@ def get_list_of_records(klass, options = {}) scope = klass.my(records) scope = scope.state(filter) if filter.present? - scope = scope.search(current_query) if current_query.present? + scope = scope.search(query) if query.present? scope = scope.tagged_with(tags, :on => :tags) if tags.present? scope = scope.unscoped if wants.csv? scope = scope.paginate(pages) if wants.html? || wants.js? || wants.xml? @@ -297,7 +298,7 @@ def current_query #---------------------------------------------------------------------------- def parse_query_and_tags(search_string) query, tags = [], [] - search_string.scan(/[\w@\-\.'#]+/).each do |token| + search_string.scan(/[\w@\-\.#]+/).each do |token| if token.starts_with?("#") tags << token[1 .. -1] else @@ -307,4 +308,3 @@ def parse_query_and_tags(search_string) [ query.join(" "), tags.join(", ") ] end end - diff --git a/app/helpers/tags_helper.rb b/app/helpers/tags_helper.rb index 5df5371755..03023ff05b 100755 --- a/app/helpers/tags_helper.rb +++ b/app/helpers/tags_helper.rb @@ -29,7 +29,7 @@ def tags_for_index(model) query += " #{hashtag}" end arr << link_to_function(tag, "crm.search_tagged('#{query}', '#{model.class.to_s.tableize}')", :title => tag) - end.join(" ") + end.join(" ").html_safe end # Generate tag links for the asset landing page (shown on a sidebar). @@ -37,7 +37,7 @@ def tags_for_index(model) def tags_for_show(model) model.tag_list.inject([]) do |arr, tag| arr << link_to(tag, url_for(:action => "tagged", :id => tag), :title => tag) - end.join(" ") + end.join(" ").html_safe end # Return asset tags to be built manually if the asset failed validation.