active_scaffold 3.4.20 → 3.4.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 42baa20c0dc8c0bcc7f9d1f8f9458de2135d4def
-  data.tar.gz: d5cf0f64b77a05dcf00dafbd57533df34033a18b
+  metadata.gz: 305b70bbadf4986fe5db1d87e33cabd4612d8ee7
+  data.tar.gz: 2a9a2f6b260bd3b73d1dfac99f1937c20034a615
 SHA512:
-  metadata.gz: 9e45bf8388302307fe80cf19293c71efa2779289931fbe4fa852ab10b56c32c4b3b2f9da22d1a4c3426cf80879555e94b0722bd8395c5dbfe267bcc92400717c
-  data.tar.gz: 869a983b83016caf7aaf93d213a2392e056ccfcc0c41b51149fd17292542fd5e42ee8083271f4b15e8ba25cd0d1a6844874e91823f7c06baf2c36aa53645b760
+  metadata.gz: f2d50d8c971e3765c6ddcbd341ac74b191833f8c45445ce22e5de6f798551c7b0be4484d36cbd08b18ee24d56cd783d28fa168025e8d068021607fd046a4b987
+  data.tar.gz: 5bfdbbf6b81a65da5629b59535805332e0e23dc6d178cc1461c7101048a30c53ea64d897f79f21d4ef8126efee67b907c47e8760baedfd9a85bf6bd8e5ae79d7

data/CHANGELOG

@@ -1,3 +1,12 @@
+= 3.4.21
+- Fix excluding a bridge
+- Allow to call helpers from dynamic_parameters proc
+- Fix warn when form is changed on create/update loaded on page (without AJAX)
+- Fix XSS vulnerability when using to_label with as_ (#425)
+- Set cursor at end when focus first element
+- Set focus on form.search after search with refresh_with_header
+
+= 3.4.20
 - Update tinymce bridge for tinyMCE 4.x
 - Ignore :format in conditions_from_params
 - column with :radio form_ui works like :select form_ui in list and show

data/app/assets/javascripts/jquery/active_scaffold.js

@@ -303,6 +303,11 @@ jQuery(document).ready(function($) {
     ActiveScaffold.live_search(e.target);
     ActiveScaffold.draggable_lists('.draggable-lists', e.target);
   });
+  jQuery(document).on('as:element_updated', '.active-scaffold', function(e) {
+    if (e.target != this) return;
+    var search = $(this).find('form.search');
+    if (search.length) ActiveScaffold.focus_first_element_of_form(search);
+  });
   jQuery(document).on('as:action_success', 'a.as_action', function(e, action_link) {
     ActiveScaffold.load_embedded(action_link.adapter);
     ActiveScaffold.enable_js_form_buttons(action_link.adapter);
@@ -607,7 +612,8 @@ var ActiveScaffold = {
   focus_first_element_of_form: function(form_element, form_selector) {
     if (typeof(form_element) == 'string') form_element = '#' + form_element;
     if (typeof(form_selector) == 'undefined') form_selector = jQuery(form_element).is('form') ? '' : 'form ';
-    jQuery(form_selector + ":input:visible:first", jQuery(form_element)).focus();
+    var input = jQuery(form_selector + ":input:visible:first", jQuery(form_element)).focus();
+    if (input[0].value) input[0].selectionStart = input[0].selectionEnd = input[0].value.length;
   },
 
   create_record_row: function(active_scaffold_id, html, options) {
@@ -991,7 +997,7 @@ var ActiveScaffold = {
     $(document).on('change input', '.active-scaffold form:not(.search) input, .active-scaffold form:not(.search) textarea, .active-scaffold form:not(.search) select', function() {
       $(this).closest('form').addClass('need-confirm');
     });
-    $(document).on('click', '.active-scaffold .as_cancel:not([data-remote])', function() {
+    $(document).on('click', '.active-scaffold .as_cancel:not([data-remote]), .active-scaffold input[type=submit]', function() {
       $(this).closest('form').removeClass('need-confirm');
     });
     window.onbeforeunload = function() {

data/app/views/active_scaffold_overrides/_show.html.erb

@@ -1,4 +1,4 @@
-<h4><%= active_scaffold_config.show.label(@record.to_label.nil? ? nil : @record.to_label) %></h4>
+<h4><%= active_scaffold_config.show.label(@record.to_label.nil? ? nil : h(@record.to_label)) %></h4>
 
 <%= render :partial => 'show_columns', :locals => {:columns => active_scaffold_config.show.columns} -%>
 

data/app/views/active_scaffold_overrides/_update_form.html.erb

@@ -3,4 +3,4 @@
                                                 :form_action => form_action ||= :update,
                                                 :method => method ||= :put,
                                                 :cancel_link => cancel_link,
-                                                :headline => headline ||= @record.to_label.nil? ? active_scaffold_config.update.label : as_(:update_model, :model => @record.to_label)} %>
+                                                :headline => headline ||= @record.to_label.nil? ? active_scaffold_config.update.label : as_(:update_model, :model => h(@record.to_label))} %>

data/app/views/active_scaffold_overrides/action_confirmation.html.erb

@@ -1,7 +1,7 @@
 <div class="active-scaffold">
   <div class="delete-view view">
     <%= form_tag params_for(:action => link.action, :id => params[:id]), { :method => link.method } %>
-      <h4><%= link.confirm(record.try(:to_label)) -%></h4>
+      <h4><%= link.confirm(h(record.try(:to_label))) -%></h4>
 
       <p class="form-footer">
         <%= submit_tag as_(link.label), :class => 'submit' %>

data/app/views/active_scaffold_overrides/delete.html.erb

@@ -1,7 +1,7 @@
 <div class="active-scaffold">
   <div class="delete-view view">
     <%= form_tag params_for(:action => :destroy, :id => params[:id]), { :method => :delete } %>
-      <h4><%= as_(:are_you_sure_to_delete, :label => @record.try(:to_label)) -%></h4>
+      <h4><%= as_(:are_you_sure_to_delete, :label => h(@record.try(:to_label))) -%></h4>
 
       <p class="form-footer">
         <%= submit_tag as_(:delete), :class => 'submit' %>

data/lib/active_scaffold/actions/create.rb

@@ -40,7 +40,7 @@ module ActiveScaffold::Actions
         end
       else
         if successful?
-          flash[:info] = as_(:created_model, :model => @record.to_label)
+          flash[:info] = as_(:created_model, :model => ERB::Util.h(@record.to_label))
           if (action = active_scaffold_config.create.action_after_create)
             redirect_to params_for(:action => action, :id => @record.to_param)
           elsif params[:dont_close]

data/lib/active_scaffold/actions/delete.rb

@@ -14,7 +14,7 @@ module ActiveScaffold::Actions
     protected
 
     def destroy_respond_to_html
-      flash[:info] = as_(:deleted_model, :model => @record.to_label) if self.successful?
+      flash[:info] = as_(:deleted_model, :model => ERB::Util.h(@record.to_label)) if self.successful?
       return_to_main
     end
 
@@ -46,7 +46,7 @@ module ActiveScaffold::Actions
       begin
         self.successful = record.destroy
       rescue StandardError => ex
-        flash[:warning] = as_(:cant_destroy_record, :record => record.to_label)
+        flash[:warning] = as_(:cant_destroy_record, :record => ERB::Util.h(record.to_label))
         self.successful = false
         logger.debug ex.message
         logger.debug ex.backtrace.join("\n")

data/lib/active_scaffold/actions/nested.rb

@@ -38,9 +38,9 @@ module ActiveScaffold::Actions
 
     def nested_label
       if nested.belongs_to?
-        as_(:nested_of_model, :nested_model => active_scaffold_config.model.model_name.human, :parent_model => nested_parent_record.to_label)
+        as_(:nested_of_model, :nested_model => active_scaffold_config.model.model_name.human, :parent_model => ERB::Util.h(nested_parent_record.to_label))
       else
-        as_(:nested_for_model, :nested_model => active_scaffold_config.list.label, :parent_model => nested_parent_record.to_label)
+        as_(:nested_for_model, :nested_model => active_scaffold_config.list.label, :parent_model => ERB::Util.h(nested_parent_record.to_label))
       end
     end
 
@@ -144,7 +144,7 @@ module ActiveScaffold::Actions::Nested
     end
 
     def destroy_existing
-      return redirect_to(params.merge(:action => :delete)) if request.get?
+      return redirect_to(params.merge(:action => :delete, :only_path => true)) if request.get?
       do_destroy_existing
       respond_to_action(:destroy_existing)
     end
@@ -165,7 +165,7 @@ module ActiveScaffold::Actions::Nested
 
     def add_existing_respond_to_html
       if successful?
-        flash[:info] = as_(:created_model, :model => @record.to_label)
+        flash[:info] = as_(:created_model, :model => ERB::Util.h(@record.to_label))
         return_to_main
       else
         render(:action => 'add_existing_form')
@@ -193,7 +193,7 @@ module ActiveScaffold::Actions::Nested
     end
 
     def destroy_existing_respond_to_html
-      flash[:info] = as_(:deleted_model, :model => @record.to_label)
+      flash[:info] = as_(:deleted_model, :model => ERB::Util.h(@record.to_label))
       return_to_main
     end
 

data/lib/active_scaffold/actions/update.rb

@@ -43,7 +43,7 @@ module ActiveScaffold::Actions
         end
       else # just a regular post
         if successful?
-          message = as_(:updated_model, :model => @record.to_label)
+          message = as_(:updated_model, :model => ERB::Util.h(@record.to_label))
           if params[:dont_close]
             flash.now[:info] = message
             render(:action => 'update')
@@ -68,7 +68,7 @@ module ActiveScaffold::Actions
             @record = get_row rescue nil # if record doesn't fullfil current conditions remove it from list
           end
         end
-        flash.now[:info] = as_(:updated_model, :model => (@updated_record || @record).to_label) if active_scaffold_config.update.persistent
+        flash.now[:info] = as_(:updated_model, :model => ERB::Util.h((@updated_record || @record).to_label)) if active_scaffold_config.update.persistent
       end
       render :action => 'on_update'
     end

data/lib/active_scaffold/bridges.rb

@@ -45,7 +45,7 @@ module ActiveScaffold
       return false if bridges_prepared
       bridges.keys.each do |bridge_name|
         bridge = self[bridge_name]
-        bridge.prepare if bridge.install?
+        bridge.prepare if bridge && bridge.install?
       end
       self.bridges_prepared = true
     end

data/lib/active_scaffold/helpers/view_helpers.rb

@@ -246,7 +246,7 @@ module ActiveScaffold
       end
 
       def replace_id_params_in_action_link_url(link, record, url)
-        url = record ? url.sub('--ID--', record.to_param) : url.clone
+        url = record ? url.sub('--ID--', record.to_param.to_s) : url.clone
         if link.column.try(:singular_association?)
           child_id = record.send(link.column.association.name).try(:to_param)
           if child_id.present?
@@ -333,9 +333,9 @@ module ActiveScaffold
         url_options.merge! link.parameters if link.parameters
         if link.dynamic_parameters.is_a?(Proc)
           if record.nil?
-            url_options.merge! link.dynamic_parameters.call
+            url_options.merge! instance_exec &link.dynamic_parameters
           else
-            url_options.merge! link.dynamic_parameters.call(record)
+            url_options.merge! instance_exec record, &link.dynamic_parameters
           end
         end
         if link.nested_link?
@@ -384,7 +384,7 @@ module ActiveScaffold
         html_options[:method] = link.method if link.method != :get
 
         html_options[:data] ||= {}
-        html_options[:data][:confirm] = link.confirm(record.try(:to_label)) if link.confirm?
+        html_options[:data][:confirm] = link.confirm(h(record.try(:to_label))) if link.confirm?
         if link.inline?
           html_options[:class] << ' as_action'
           html_options[:data][:position] = link.position if link.position

data/lib/active_scaffold/version.rb

@@ -2,7 +2,7 @@ module ActiveScaffold
   module Version
     MAJOR = 3
     MINOR = 4
-    PATCH = 20
+    PATCH = 21
 
     STRING = [MAJOR, MINOR, PATCH].compact.join('.')
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: active_scaffold
 version: !ruby/object:Gem::Version
-  version: 3.4.20
+  version: 3.4.21
 platform: ruby
 authors:
 - Many, see README
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-16 00:00:00.000000000 Z
+date: 2015-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: brakeman