-
-
Notifications
You must be signed in to change notification settings - Fork 708
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove raw from various template #11803
Remove raw from various template #11803
Conversation
f376a51
to
2b2e53b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for cleaning this up.
I'm not sure but may have spotted a problem.
Also a couple of minor suggestions.
@@ -1,6 +1,6 @@ | |||
- if ContentConfig.home_page_alert_html.present? | |||
.alert-cta | |||
%h6= raw ContentConfig.home_page_alert_html | |||
%h6= sanitize(@comment.body, tags: %w(strong em a i span), attributes: %w(href target)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should @comment.body
be ContentConfig.home_page_alert_html
?
Also, if we have a standard set of allowed tags and attributes, I'd suggest defining these in a constant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, I must have been tired. Fixed it.
@@ -37,10 +38,11 @@ | |||
%tr | |||
%td | |||
#{line_items.first.variant.sku} | |||
- if @distributors_pickup_times.many? | |||
%td | |||
#{line_items.first.product.supplier.name} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can use =
instead of interpolation here, and below ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice pick, I cleaned up the file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great!
But we are still awaiting merge of the dependent PR, so I will move to In Dev until then.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Left over from Spree, it looks like a weird way to cast somehing to a string
It still allows some specific tag so we can have link and some formatting.
e8fc1ff
to
502df3d
Compare
Hi @rioug, Test casesI can see the following parts of the app have been modified, so I tried to test them:
Questions
Other findings (out of scope)
Conclusion
Thanks again! Also I have learnt a bit while testing this PR! |
What? Why?
Remove
raw
from various template, as they are introducing security issue. It potentially allows user to insert dangerous code in the html pages.It looks like a lot of it is left over from Spree, so I don't really have any context as to why they used
raw
, so I removed it where it didn't make sense to me why it was used. Hopefully I didn't break anything.Other instance of
raw
usage that reviewers might want to check:openfoodnetwork/app/helpers/spree/admin/navigation_helper.rb
Line 101 in b2c6551
What should we test?
and check they are properly rendered,
Release notes
Changelog Category (reviewers may add a label for the release notes):
The title of the pull request will be included in the release notes.
Dependencies
this PR will need to be merge first #11798