h() escaping some more stuff - better solution would be to make mock_…

…model taint all of it's strings automatically
xaviershay · Nov 6, 2008 · 524e187 · 524e187
1 parent 427bf7a
commit 524e187
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 8 deletions.
diff --git a/app/helpers/url_helper.rb b/app/helpers/url_helper.rb
@@ -23,7 +23,7 @@ def post_path(post, options = {})
     suffix = options[:anchor] ? "##{options[:anchor]}" : ""
     path = post.published_at.strftime("/%Y/%m/%d/") + post.slug + suffix
     path = URI.join(config[:url], path) if options[:only_path] == false
-    path
+    path.untaint
   end
 
   def post_comments_path(post)
@@ -36,9 +36,9 @@ def page_path(page)
 
   def author_link(comment)
     if comment.author_url.blank?
-      comment.author
+      h(comment.author)
     else
-      link_to(comment.author, comment.author_url, :title => "Authenticated by #{comment.author_openid_authority}", :class => 'openid')
+      link_to(h(comment.author), h(comment.author_url), :title => h("Authenticated by #{comment.author_openid_authority}"), :class => 'openid')
     end
   end
 

diff --git a/spec/views/posts/index.html.erb_spec.rb b/spec/views/posts/index.html.erb_spec.rb
@@ -10,7 +10,7 @@
       :title             => "A post",
       :body_html         => "Posts contents!",
       :published_at      => 1.year.ago,
-      :slug              => 'a-post',
+      :slug              => 'a-post'.taint,
       :approved_comments => [mock_model(Comment)],
       :tags              => [mock_tag]
     )

diff --git a/spec/views/posts/show.html.erb_spec.rb b/spec/views/posts/show.html.erb_spec.rb
@@ -10,9 +10,16 @@
 
     mock_comment = mock_model(Comment,
       :created_at              => 1.month.ago,
-      :author                  => "Don Alias",
-      :author_url              => "http://enkiblog.com",
-      :author_openid_authority => "http://enkiblog.com/server",
+      :author                  => "Don Alias".taint,
+      :author_url              => "http://enkiblog.com".taint,
+      :author_openid_authority => "http://enkiblog.com/server".taint,
+      :body_html               => "A comment"
+    )
+
+    mock_comment2 = mock_model(Comment,
+      :created_at              => 1.month.ago,
+      :author                  => "Don Alias".taint,
+      :author_url              => ''.taint,
       :body_html               => "A comment"
     )
 
@@ -21,7 +28,7 @@
       :body_html         => "Posts contents!",
       :published_at      => 1.year.ago,
       :slug              => 'a-post',
-      :approved_comments => [mock_comment],
+      :approved_comments => [mock_comment, mock_comment2],
       :tags              => [mock_tag]
     )
     assigns[:post]    = @post