Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merge branch '3-0-1'

Conflicts:
	CHANGELOG.md
  • Loading branch information...
commit f4cd76fa05c37d2e9c9660bec4e861aa0a78eafc 2 parents 10c14a5 + 3989c53
@rafaelfranca rafaelfranca authored
View
5 CHANGELOG.md
@@ -8,6 +8,11 @@
### bug fix
* Collection input generates `required` attribute if it has `prompt` option. [@nashby](https://github.com/nashby)
+## 3.0.1
+
+### bug fix
+ * Fix XSS vulnerability on label, hint and error components.
+
## 3.0.0
### enhancements
View
2  Gemfile.lock
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- simple_form (3.0.0)
+ simple_form (3.0.1)
actionpack (>= 4.0.0, < 4.1)
activemodel (>= 4.0.0, < 4.1)
View
2  lib/simple_form/components/errors.rb
@@ -12,7 +12,7 @@ def has_errors?
protected
def error_text
- "#{options[:error_prefix]} #{errors.send(error_method)}".lstrip.html_safe
+ "#{html_escape(options[:error_prefix])} #{errors.send(error_method)}".lstrip.html_safe
end
def error_method
View
9 lib/simple_form/components/hints.rb
@@ -5,8 +5,13 @@ module Hints
def hint
@hint ||= begin
hint = options[:hint]
- hint_content = hint.is_a?(String) ? hint : translate(:hints)
- hint_content.html_safe if hint_content
+
+ if hint.is_a?(String)
+ html_escape(hint)
+ else
+ content = translate(:hints)
+ content.html_safe if content
+ end
end
end
View
2  lib/simple_form/components/labels.rb
@@ -30,7 +30,7 @@ def label
end
def label_text
- SimpleForm.label_text.call(raw_label_text, required_label_text).strip.html_safe
+ SimpleForm.label_text.call(html_escape(raw_label_text), required_label_text).strip.html_safe
end
def label_target
View
3  lib/simple_form/inputs/base.rb
@@ -1,8 +1,11 @@
require 'simple_form/i18n_cache'
+require 'active_support/core_ext/string/output_safety'
module SimpleForm
module Inputs
class Base
+ include ERB::Util
+
extend I18nCache
include SimpleForm::Helpers::Autofocus
View
2  lib/simple_form/version.rb
@@ -1,3 +1,3 @@
module SimpleForm
- VERSION = "3.0.0".freeze
+ VERSION = "3.0.1".freeze
end
View
7 test/form_builder/error_test.rb
@@ -80,8 +80,13 @@ def with_full_error_for(object, *args)
assert_no_select 'p.error[error_method]'
end
- test 'error should generate an error message with raw HTML tags' do
+ test 'error should escape error prefix text' do
with_error_for @user, :name, error_prefix: '<b>Name</b>'
+ assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can't be blank"
+ end
+
+ test 'error should generate an error message with raw HTML tags' do
+ with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
assert_select 'span.error', "Name can't be blank"
assert_select 'span.error b', "Name"
end
View
10 test/form_builder/hint_test.rb
@@ -43,8 +43,14 @@ def with_hint_for(object, *args)
end
test 'hint should be output as html_safe' do
- with_hint_for @user, :name, hint: '<b>Bold</b> and not...'
+ with_hint_for @user, :name, hint: '<b>Bold</b> and not...'.html_safe
assert_select 'span.hint', 'Bold and not...'
+ assert_select 'span.hint b', 'Bold'
+ end
+
+ test 'builder should escape hint text' do
+ with_hint_for @user, :name, hint: '<script>alert(1337)</script>'
+ assert_select 'span.hint', "&lt;script&gt;alert(1337)&lt;/script&gt;"
end
# Without attribute name
@@ -132,7 +138,7 @@ def with_hint_for(object, *args)
test 'hint with custom wrappers works' do
swap_wrapper do
with_hint_for @user, :name, hint: "can't be blank"
- assert_select 'div.omg_hint', "can't be blank"
+ assert_select 'div.omg_hint', "can&#39;t be blank"
end
end
end
View
10 test/form_builder/label_test.rb
@@ -29,6 +29,16 @@ def with_label_for(object, *args, &block)
assert_select 'label.string.required[for=validating_user_name]', /Name/
end
+ test 'builder should escape label text' do
+ with_label_for @user, :name, label: '<script>alert(1337)</script>', required: false
+ assert_select 'label.string', "&lt;script&gt;alert(1337)&lt;/script&gt;"
+ end
+
+ test 'builder should not escape label text if it is safe' do
+ with_label_for @user, :name, label: '<script>alert(1337)</script>'.html_safe, required: false
+ assert_select 'label.string script', "alert(1337)"
+ end
+
test 'builder should allow passing options to label tag' do
with_label_for @user, :name, label: 'My label', id: 'name_label'
assert_select 'label.string#name_label', /My label/
Please sign in to comment.
Something went wrong with that request. Please try again.