Skip to content
Browse files

Ensure that keywords are escaped within a spree_analytics call

Thanks to Michael Bianco from Ascension Press for bringing this to our
attention
  • Loading branch information...
1 parent 23767df commit 079949fd0e6d9ec87eefd8e3b9c70b5aa3bf25d3 @cmar cmar committed
Showing with 8 additions and 1 deletion.
  1. +1 −1 app/helpers/analytics_helper.rb
  2. +7 −0 spec/helpers/analytics_helper_spec.rb
View
2 app/helpers/analytics_helper.rb
@@ -31,7 +31,7 @@ def taxon_analytics_tags
def keywords_analytics_tags
return {} unless params[:keywords]
- { :search => { :keyword => params[:keywords] } }
+ { :search => { :keyword => u(params[:keywords]) } }
end
def cart_analytics_tags
View
7 spec/helpers/analytics_helper_spec.rb
@@ -55,6 +55,13 @@
tags[:search][:keyword].should eq "rails"
end
+ it "escapes keywords" do
+ params[:keywords] = "\"funny><looking><keywords"
+ tags = helper.keywords_analytics_tags
+ tags[:search][:keyword].should_not include("funny><looking><keywords")
+ tags[:search][:keyword].should include("%22funny%3E%3Clooking%3E%3Ckeywords")
+ end
+
it "for cart" do
@order.should_receive(:cart?).and_return(true)
assign :order, @order

0 comments on commit 079949f

Please sign in to comment.
Something went wrong with that request. Please try again.