Refactor sanitize to fix last commit demonstrated problems

mkelley33 · Nov 4, 2012 · d685abb · d685abb
1 parent 2879393
commit d685abb
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 19 deletions.
diff --git a/lib/assets/javascripts/best_in_place.js b/lib/assets/javascripts/best_in_place.js
@@ -39,10 +39,14 @@ BestInPlaceEditor.prototype = {
       to_display = this.original_content;
     }
     else {
-      to_display = this.element.html();
+      if (this.sanitize) {
+        to_display = this.element.text();
+      } else {
+        to_display = this.element.html();
+      }
     }
 
-    var elem = this.isNil ? "-" : this.element.html();
+    var elem = this.isNil ? "-" : this.sanitize ? this.element.text() : this.element.html();
     this.oldValue = elem;
     this.display_value = to_display;
     jQuery(this.activator).unbind("click", this.clickHandler);
@@ -51,8 +55,8 @@ BestInPlaceEditor.prototype = {
   },
 
   abort : function() {
-    if (this.isNil) this.element.html(this.nil);
-    else            this.element.html(this.oldValue);
+    if (this.isNil) this.element.text(this.nil);
+    else            this.element.text(this.oldValue);
     jQuery(this.activator).bind('click', {editor: this}, this.clickHandler);
     this.element.trigger(jQuery.Event("best_in_place:abort"));
     this.element.trigger(jQuery.Event("best_in_place:deactivate"));
@@ -90,7 +94,7 @@ BestInPlaceEditor.prototype = {
     } else if (this.formType == "checkbox") {
       editor.element.html(this.getValue() ? this.values[1] : this.values[0]);
     } else {
-      editor.element.html(this.getValue() !== "" ? this.getValue() : this.nil);
+      editor.element.text(this.getValue() !== "" ? this.getValue() : this.nil);
     }
     editor.element.trigger(jQuery.Event("best_in_place:update"));
   },
@@ -161,10 +165,10 @@ BestInPlaceEditor.prototype = {
   },
 
   initNil: function() {
-    if (this.element.html() === "")
+    if (this.element.text() === "")
     {
       this.isNil = true;
-      this.element.html(this.nil);
+      this.element.text(this.nil);
     }
   },
 
@@ -174,12 +178,6 @@ BestInPlaceEditor.prototype = {
 
   // Trim and Strips HTML from text
   sanitizeValue : function(s) {
-    if (this.sanitize)
-    {
-      var tmp = document.createElement("DIV");
-      tmp.innerHTML = s;
-      s = jQuery.trim(tmp.textContent || tmp.innerText).replace(/"/g, '&quot;');
-    }
    return jQuery.trim(s);
   },
 
@@ -209,9 +207,9 @@ BestInPlaceEditor.prototype = {
   loadSuccessCallback : function(data) {
     var response = jQuery.parseJSON(jQuery.trim(data));
     if (response !== null && response.hasOwnProperty("display_as")) {
-      this.element.attr("data-original-content", this.element.html());
-      this.original_content = this.element.html();
-      this.element.html(response["display_as"]);
+      this.element.attr("data-original-content", this.element.text());
+      this.original_content = this.element.text();
+      this.element.text(response["display_as"]);
     }
     this.element.trigger(jQuery.Event("ajax:success"), data);
 
@@ -221,7 +219,7 @@ BestInPlaceEditor.prototype = {
   },
 
   loadErrorCallback : function(request, error) {
-    this.element.html(this.oldValue);
+    this.element.text(this.oldValue);
 
     this.element.trigger(jQuery.Event("best_in_place:error"), [request, error])
     this.element.trigger(jQuery.Event("ajax:error"));

diff --git a/lib/best_in_place/helper.rb b/lib/best_in_place/helper.rb
@@ -55,9 +55,9 @@ def best_in_place(object, field, opts = {})
       end
       if !opts[:sanitize].nil? && !opts[:sanitize]
         out << " data-sanitize='false'>"
-        out << sanitize(value.to_s, :tags => %w(b i u s a strong em p h1 h2 h3 h4 h5 ul li ol hr pre span img br), :attributes => %w(id class href))
+        out << value.to_s
       else
-        out << ">#{sanitize(value.to_s, :tags => nil, :attributes => nil)}"
+        out << ">#{h(value.to_s)}"
       end
       out << "</span>"
       raw out

diff --git a/spec/integration/js_spec.rb b/spec/integration/js_spec.rb
@@ -689,6 +689,26 @@
     end
   end
 
+  it "should keep the same value after multipe edits" do
+    @user.save!
+
+    retry_on_timeout do
+      visit double_init_user_path(@user)
+
+      bip_area @user, :description, "A <a href=\"http://google.es\">link in this text</a> not sanitized."
+      visit double_init_user_path(@user)
+
+      page.should have_link("link in this text", :href => "http://google.es")
+
+      id = BestInPlace::Utils.build_best_in_place_id @user, :description
+      page.execute_script <<-JS
+        $("##{id}").click();
+      JS
+
+      page.find("##{id} textarea").value.should eq("A <a href=\"http://google.es\">link in this text</a> not sanitized.")
+    end
+  end
+
   it "should display single- and double-quotes in values appropriately" do
     @user.height = %{5' 6"}
     @user.save!