Skip to content
Permalink
Browse files

Use safe_join for joining flash messages

  • Loading branch information
oliverguenther committed Oct 2, 2019
1 parent 3746a8a commit b1f1184da257f03ad0cb98d659cd297c76ab4681
Showing with 17 additions and 3 deletions.
  1. +5 −3 app/helpers/application_helper.rb
  2. +12 −0 spec/features/projects/projects_index_spec.rb
@@ -137,14 +137,16 @@ def due_date_distance_in_words(date)

# Renders flash messages
def render_flash_messages
flash
messages = flash
.reject { |k,_| k.start_with? '_' }
.map { |k, v| render_flash_message(k, v) }.join.html_safe
.map { |k, v| render_flash_message(k, v) }

safe_join messages, "\n"
end

def join_flash_messages(messages)
if messages.respond_to?(:join)
messages.join('<br />').html_safe
safe_join(messages, '<br />')
else
messages
end
@@ -160,6 +160,18 @@ def remove_filter(name)
.to have_selector('td', text: news.created_on.strftime('%m/%d/%Y'))
end
end

scenario 'test that flash sortBy is being escaped' do
login_as(admin)
visit projects_path(sortBy: "[[\"><script src='/foobar.js'></script>\",\"\"]]")

error_text = "Orders ><script src='/foobar js'></script> is not set to one of the allowed values. and does not exist."
error_html = "Orders &gt;&lt;script src='/foobar js'&gt;&lt;/script&gt; is not set to one of the allowed values. and does not exist."
expect(page).to have_selector('.flash.error', text: error_text)

error_container = page.find('.flash.error')
expect(error_container['innerHTML']).to include error_html
end
end
end

0 comments on commit b1f1184

Please sign in to comment.
You can’t perform that action at this time.