Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Properly escape page part contents in the UI.

  • Loading branch information...
commit 300ffd5b535c7e3ee5981213c176396889e7c920 1 parent e88f129
@seancribbs seancribbs authored
View
2  app/views/admin/page_parts/_page_part.html.haml
@@ -12,4 +12,4 @@
= link_to_function 'Available Tags', "load_tag_reference('#{page_part.name.to_slug}');"
= render_region :part_controls, :locals => {:page_part => page_part}
%div
- ~ text_area_tag 'page[parts][][content]', page_part.content, :class => "textarea", :style => "width: 100%", :id => "part_#{page_part.name.to_slug}_content"
+ ~ text_area_tag 'page[parts][][content]', h(page_part.content), :class => "textarea", :style => "width: 100%", :id => "part_#{page_part.name.to_slug}_content"
View
6 spec/integration/admin/pages_integration_spec.rb
@@ -34,6 +34,12 @@ def have_slug(expected)
response.should have_text(/Under Construction/)
end
+ it "should properly escape part contents" do
+ navigate_to '/admin/pages/new'
+ submit_form 'new_page', :continue => 'Save and Continue', :page => {:title => 'My Site', :slug => '/', :breadcrumb => 'My Site', :parts => [{:name => 'body', :content => '<r:url />'}], :status_id => Status[:published].id}
+ response.should have_tag('textarea', :text => "<r:url />")
+ end
+
describe 'with homepage' do
dataset :home_page
Please sign in to comment.
Something went wrong with that request. Please try again.