[gentoo-commits] proj/recruiting-webapp:master commit in: spec/models/, app/views/taglibs/, config/initializers/ - gentoo-commits

From:	"Petteri Räty" <betelgeuse@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/recruiting-webapp:master commit in: spec/models/, app/views/taglibs/, config/initializers/
Date:	Tue, 02 Aug 2011 20:33:49
Message-Id:	`cf450f1e4f5f2317e64291487bfccd89a2b243bf.betelgeuse@gentoo`

1

commit:     cf450f1e4f5f2317e64291487bfccd89a2b243bf

2

Author:     Petteri Räty <betelgeuse <AT> gentoo <DOT> org>

3

AuthorDate: Tue Aug  2 20:32:04 2011 +0000

4

Commit:     Petteri Räty <betelgeuse <AT> gentoo <DOT> org>

5

CommitDate: Tue Aug  2 20:32:24 2011 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/recruiting-webapp.git;a=commit;h=cf450f1e

7

8

Fix two XSS injections

9

10

The EmailAddress problem was submitted upstream to hobo.

11

12

---

13

 app/views/taglibs/views.dryml        |    2 +-

14

 config/initializers/email_address.rb |    9 +++++++++

15

 spec/models/user_spec.rb             |    5 +++++

16

 3 files changed, 15 insertions(+), 1 deletions(-)

17

18

diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml

19

index c4bcd89..c5be181 100644

20

--- a/app/views/taglibs/views.dryml

21

+++ b/app/views/taglibs/views.dryml

22

@@ -10,7 +10,7 @@

23

   <%= this.content.to_html %>

24

   <ul>

25

     <repeat:options>

26

-      <li><%=this.content%></li>

27

+      <li><%= h this.content%></li>

28

     </repeat>

29

   </ul>

30

 </def>

31

32

diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb

33

new file mode 100644

34

index 0000000..02e48cb

35

--- /dev/null

36

+++ b/config/initializers/email_address.rb

37

@@ -0,0 +1,9 @@

38

+require 'hobo_fields/email_address'

39

+

40

+class HoboFields::EmailAddress

41

+  def to_html_with_escape(xmldoctype = true)

42

+    ERB::Util.h to_html_without_escape xmldoctype

43

+  end

44

+

45

+  alias_method_chain :to_html, :escape

46

+end

47

48

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb

49

index e6724d8..7552a1e 100644

50

--- a/spec/models/user_spec.rb

51

+++ b/spec/models/user_spec.rb

52

@@ -8,6 +8,11 @@ describe User do

53

     new_user.role.should  == :recruit

54

end

55

56

+  it "should escape emails" do

57

+    u = User.new :email_address => "<script>alert('foo')<script>@foo.com"

58

+    u.email_address.to_html.should == "&lt;script&gt;alert('foo')&lt;script&gt; at foo dot com"

59

+  end

60

+

61

   it { should allow_value(:mentor).for(:role) }

62

   it { should allow_value(:recruiter).for(:role) }

1	commit: cf450f1e4f5f2317e64291487bfccd89a2b243bf
2	Author: Petteri Räty <betelgeuse <AT> gentoo <DOT> org>
3	AuthorDate: Tue Aug 2 20:32:04 2011 +0000
4	Commit: Petteri Räty <betelgeuse <AT> gentoo <DOT> org>
5	CommitDate: Tue Aug 2 20:32:24 2011 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/recruiting-webapp.git;a=commit;h=cf450f1e
7
8	Fix two XSS injections
9
10	The EmailAddress problem was submitted upstream to hobo.
11
12	---
13	app/views/taglibs/views.dryml \| 2 +-
14	config/initializers/email_address.rb \| 9 +++++++++
15	spec/models/user_spec.rb \| 5 +++++
16	3 files changed, 15 insertions(+), 1 deletions(-)
17
18	diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml
19	index c4bcd89..c5be181 100644
20	--- a/app/views/taglibs/views.dryml
21	+++ b/app/views/taglibs/views.dryml
22	@@ -10,7 +10,7 @@
23	<%= this.content.to_html %>
24	<ul>
25	<repeat:options>
26	- <li><%=this.content%></li>
27	+ <li><%= h this.content%></li>
28	</repeat>
29	</ul>
30	</def>
31
32	diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb
33	new file mode 100644
34	index 0000000..02e48cb
35	--- /dev/null
36	+++ b/config/initializers/email_address.rb
37	@@ -0,0 +1,9 @@
38	+require 'hobo_fields/email_address'
39	+
40	+class HoboFields::EmailAddress
41	+ def to_html_with_escape(xmldoctype = true)
42	+ ERB::Util.h to_html_without_escape xmldoctype
43	+ end
44	+
45	+ alias_method_chain :to_html, :escape
46	+end
47
48	diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
49	index e6724d8..7552a1e 100644
50	--- a/spec/models/user_spec.rb
51	+++ b/spec/models/user_spec.rb
52	@@ -8,6 +8,11 @@ describe User do
53	new_user.role.should == :recruit
54	end
55
56	+ it "should escape emails" do
57	+ u = User.new :email_address => "<script>alert('foo')<script>@foo.com"
58	+ u.email_address.to_html.should == "<script>alert('foo')<script> at foo dot com"
59	+ end
60	+
61	it { should allow_value(:mentor).for(:role) }
62	it { should allow_value(:recruiter).for(:role) }

Gentoo Archives: gentoo-commits