Properly escape page part contents in the UI.

levelg · Feb 12, 2009 · 300ffd5 · 300ffd5
1 parent e88f129
commit 300ffd5
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/app/views/admin/page_parts/_page_part.html.haml b/app/views/admin/page_parts/_page_part.html.haml
@@ -12,4 +12,4 @@
           = link_to_function 'Available Tags', "load_tag_reference('#{page_part.name.to_slug}');"
       = render_region :part_controls, :locals => {:page_part => page_part}
     %div
-      ~ text_area_tag 'page[parts][][content]', page_part.content, :class => "textarea", :style => "width: 100%", :id => "part_#{page_part.name.to_slug}_content"
+      ~ text_area_tag 'page[parts][][content]', h(page_part.content), :class => "textarea", :style => "width: 100%", :id => "part_#{page_part.name.to_slug}_content"
diff --git a/spec/integration/admin/pages_integration_spec.rb b/spec/integration/admin/pages_integration_spec.rb
@@ -34,6 +34,12 @@ def have_slug(expected)
     response.should have_text(/Under Construction/)
   end
 
+  it "should properly escape part contents" do
+    navigate_to '/admin/pages/new'
+    submit_form 'new_page', :continue => 'Save and Continue', :page => {:title => 'My Site', :slug => '/', :breadcrumb => 'My Site', :parts => [{:name => 'body', :content => '&lt;r:url /&gt;'}], :status_id => Status[:published].id}
+    response.should have_tag('textarea', :text => "&amp;lt;r:url /&amp;gt;")
+  end
+
   describe 'with homepage' do
     dataset :home_page