consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove unneeded html_safe and raw calls

Browse Source 
There's no HTML in these texts, or it has already been escaped by Rails
`link_to` helper method.
This commit is contained in:
Javi Martín
2019-10-02 02:24:25 +02:00
parent 2c80c05372
commit 20ca6beb30
10 changed files with 25 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/direct_uploads_controller.rb
View File

@@ -17,7 +17,7 @@ class DirectUploadsController < ApplicationController
render json: { cached_attachment: @direct_upload.relation.cached_attachment, render json: { cached_attachment: @direct_upload.relation.cached_attachment,
filename: @direct_upload.relation.attachment.original_filename, filename: @direct_upload.relation.attachment.original_filename,
destroy_link: render_destroy_upload_link(@direct_upload).html_safe, destroy_link: render_destroy_upload_link(@direct_upload),
attachment_url: @direct_upload.relation.attachment.url } attachment_url: @direct_upload.relation.attachment.url }
else else
@direct_upload.destroy_attachment @direct_upload.destroy_attachment

2
app/views/admin/budget_investments/_select_investment.html.erb
View File

@@ -31,7 +31,7 @@
<td class="small" data-field="valuator"> <td class="small" data-field="valuator">
<% valuators = [investment.assigned_valuation_groups, investment.assigned_valuators].compact %> <% valuators = [investment.assigned_valuation_groups, investment.assigned_valuators].compact %>
<% no_valuators_assigned = t("admin.budget_investments.index.no_valuators_assigned") %> <% no_valuators_assigned = t("admin.budget_investments.index.no_valuators_assigned") %>
<%= raw valuators.present? ? valuators.join(", ") : no_valuators_assigned %> <%= valuators.present? ? valuators.join(", ") : no_valuators_assigned %>
</td> </td>
<td class="small" data-field="geozone"> <td class="small" data-field="geozone">

2
app/views/dashboard/mailer/new_actions_notification_on_published.html.erb
View File

@@ -36,7 +36,7 @@
<ul> <ul>
<li><%= first_proposed_action.title %></li> <li><%= first_proposed_action.title %></li>
<% if first_proposed_action.short_description.present? %> <% if first_proposed_action.short_description.present? %>
<p><%= first_proposed_action.short_description.html_safe %></p> <p><%= first_proposed_action.short_description %></p>
<% end %> <% end %>
</ul> </ul>
<% end %> <% end %>

2
app/views/kaminari/_first_page.html.erb
View File

@@ -1,3 +1,3 @@
<li> <li>
<%= link_to t("views.pagination.first").html_safe, kaminari_path(url), :remote => remote %> <%= link_to t("views.pagination.first"), kaminari_path(url), :remote => remote %>
</li> </li>

2
app/views/kaminari/_last_page.html.erb
View File

@@ -1,3 +1,3 @@
<li> <li>
<%= link_to t("views.pagination.last").html_safe, kaminari_path(url), :remote => remote %> <%= link_to t("views.pagination.last"), kaminari_path(url), :remote => remote %>
</li> </li>

2
app/views/kaminari/_next_page.html.erb
View File

@@ -1,3 +1,3 @@
<li class="pagination-next"> <li class="pagination-next">
<%= link_to t("views.pagination.next").html_safe, kaminari_path(url), :rel => "next", :remote => remote %> <%= link_to t("views.pagination.next"), kaminari_path(url), :rel => "next", :remote => remote %>
</li> </li>

2
app/views/kaminari/_prev_page.html.erb
View File

@@ -1,3 +1,3 @@
<li class="pagination-previous"> <li class="pagination-previous">
<%= link_to t("views.pagination.previous").html_safe, kaminari_path(url), :rel => "prev", :remote => remote %> <%= link_to t("views.pagination.previous"), kaminari_path(url), :rel => "prev", :remote => remote %>
</li> </li>

2
app/views/layouts/_footer.html.erb
View File

@@ -2,7 +2,7 @@
<div class="row"> <div class="row">
<div class="small-12 large-4 column"> <div class="small-12 large-4 column">
<h1 class="logo"> <h1 class="logo">
<%= link_to t("layouts.header.open_gov", open: "#{t("layouts.header.open")}").html_safe %> <%= link_to t("layouts.header.open_gov", open: t("layouts.header.open")), root_path %>
</h1> </h1>
<p class="info"> <p class="info">

4
app/views/layouts/_notification_item.html.erb
View File

@@ -10,11 +10,11 @@
<span class="icon-circle" aria-hidden="true"></span> <span class="icon-circle" aria-hidden="true"></span>
<span class="icon-notification" aria-hidden="true" <span class="icon-notification" aria-hidden="true"
title="<%= t("layouts.header.notification_item.new_notifications", title="<%= t("layouts.header.notification_item.new_notifications",
count: current_user.notifications_count).html_safe %>"> count: current_user.notifications_count) %>">
</span> </span>
<span class="show-for-small-only"> <span class="show-for-small-only">
<%= t("layouts.header.notification_item.new_notifications", <%= t("layouts.header.notification_item.new_notifications",
count: current_user.notifications_count).html_safe %> count: current_user.notifications_count) %>
</span> </span>
<% else %> <% else %>
<span class="icon-no-notification" aria-hidden="true" <span class="icon-no-notification" aria-hidden="true"

15
spec/features/xss_spec.rb Normal file
View File

@@ -0,0 +1,15 @@
require "rails_helper"
describe "Cross-Site Scripting protection", :js do
let(:attack_code) { "<script>document.body.remove()</script>" }
scenario "valuators in admin investments index" do
hacker = create(:user, username: attack_code)
investment = create(:budget_investment, valuators: [create(:valuator, user: hacker)])
login_as(create(:administrator).user)
visit admin_budget_budget_investments_path(investment.budget)
expect(page.text).not_to be_empty
end
end