activeadmin 1.2.0 → 1.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of activeadmin might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 13d4e946e40362654bc8af6e1e905e8c7a3a679d
4
- data.tar.gz: bd8a87269036be0171e9731f4239cea4dd3ca667
3
+ metadata.gz: 168e2543c7194997fc761400f0c846da32cf6efc
4
+ data.tar.gz: e329bd016b402f20b119611a16b7753417d28225
5
5
  SHA512:
6
- metadata.gz: 6b0a1f546b0d811e928f3ca6e94972ea1742e8ec57e3e78b5cbc49535907be1097c27e1eb3ed779b8bacc5538a344c94b81aa368374edda389bf144ecffef995
7
- data.tar.gz: 21e63c49e42e02777083b3a4ee1b7bb77ba63b11fefd894b25378f61ba2a3d51e66097e6cbc256d8877b61abf399c8f81a05c105bde672b7532c8ecbf09948a1
6
+ metadata.gz: 9001bf292733c65ea736a38e728c4fc4c9ccf0179fdd2dc99bb19f1e2c7007f40b5693c67fead61a55dd5187fa09979f31fe868ec79d6f060b881e6f9d46d636
7
+ data.tar.gz: a0251c53c84b1beea54c3a7f880a8c1349e9f7643f7d3b1cf4293e2800b76d6f6951b63fbe0b9f79eb66e18c1700390c92032c80523e22ccedf5288e306a3caa
@@ -1,5 +1,11 @@
1
1
  # Changelog
2
2
 
3
+ ## 1.2.1 [☰](https://github.com/activeadmin/activeadmin/compare/v1.2.0...v1.2.1)
4
+
5
+ ### Bug Fixes
6
+
7
+ * Resolve issue with [#5275][] preventing XSS in filters sidebar [#5299][] by [@faucct][].
8
+
3
9
  ## 1.2.0 [☰](https://github.com/activeadmin/activeadmin/compare/v1.1.0...v1.2.0)
4
10
 
5
11
  ### Enhancements
@@ -25,7 +31,7 @@
25
31
  * Fix a couple of issues rendering filter labels [#5223][] by [@wspurgin][]
26
32
  * Prevent NameError when filtering on a namespaced association [#5240][] by [@DanielHeath][]
27
33
  * Fix undefined method error in Ransack when building filters [#5238][] by [@wspurgin][]
28
- * Fixed [#5198][] Prevent XSS on sidebar's current filter rendering [#5272][] by [@deivid-rodriguez][]
34
+ * Fixed [#5198][] Prevent XSS on sidebar's current filter rendering [#5275][] by [@deivid-rodriguez][].
29
35
  * Sanitize display_name [#5284][] by [@markstory][].
30
36
 
31
37
  ## 1.1.0 [☰](https://github.com/activeadmin/activeadmin/compare/v1.0.0...v1.1.0)
@@ -32,7 +32,7 @@ Feature: Index Filtering
32
32
  """
33
33
  When I fill in "Title" with "<script>alert('hax')</script>"
34
34
  And I press "Filter"
35
- Then I should see current filter "title_contains" equal to "alert('hax')" with label "Title contains"
35
+ Then I should see current filter "title_contains" equal to "<script>alert('hax')</script>" with label "Title contains"
36
36
 
37
37
  Scenario: Filtering posts with no results
38
38
  Given 3 posts exist
@@ -28,7 +28,7 @@ module ActiveAdmin
28
28
  text_node filter.label
29
29
  end
30
30
  b do
31
- text_node filter.values.map { |v| pretty_format(v) }.to_sentence.html_safe
31
+ text_node to_sentence(filter.values.map { |v| pretty_format(v) })
32
32
  end
33
33
  end
34
34
  end
@@ -0,0 +1,35 @@
1
+ module ActiveAdmin
2
+ module OutputSafetyHelper
3
+ # Converts the array to a comma-separated sentence where the last element is
4
+ # joined by the connector word. This is the html_safe-aware version of
5
+ # ActiveSupport's {Array#to_sentence}[http://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
6
+ #
7
+ # Copied from Rails 5 to support Rails 4.
8
+ # https://github.com/rails/rails/blob/9c35bf2a6a27431c6aa283db781c19f61c5155be/actionview/lib/action_view/helpers/output_safety_helper.rb#L43
9
+ def to_sentence(array, options = {})
10
+ options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
11
+
12
+ default_connectors = {
13
+ words_connector: ", ",
14
+ two_words_connector: " and ",
15
+ last_word_connector: ", and "
16
+ }
17
+ if defined?(::I18n)
18
+ i18n_connectors = ::I18n.translate(:'support.array', locale: options[:locale], default: {})
19
+ default_connectors.merge!(i18n_connectors)
20
+ end
21
+ options = default_connectors.merge!(options)
22
+
23
+ case array.length
24
+ when 0
25
+ "".html_safe
26
+ when 1
27
+ ERB::Util.html_escape(array[0])
28
+ when 2
29
+ safe_join([array[0], array[1]], options[:two_words_connector])
30
+ else
31
+ safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
32
+ end
33
+ end
34
+ end
35
+ end
@@ -1,3 +1,3 @@
1
1
  module ActiveAdmin
2
- VERSION = '1.2.0'
2
+ VERSION = '1.2.1'
3
3
  end
@@ -66,7 +66,7 @@ module ActiveAdmin
66
66
  def pretty_format(object)
67
67
  case object
68
68
  when String, Numeric, Symbol, Arbre::Element
69
- sanitize(object.to_s)
69
+ object.to_s
70
70
  when Date, Time
71
71
  I18n.localize object, format: active_admin_application.localize_format
72
72
  else
@@ -1,8 +1,11 @@
1
+ require 'active_admin/helpers/output_safety_helper'
2
+
1
3
  module ActiveAdmin
2
4
  module Views
3
5
 
4
6
  class SidebarSection < Panel
5
7
  builder_method :sidebar_section
8
+ include OutputSafetyHelper
6
9
 
7
10
  # Takes a ActiveAdmin::SidebarSection instance
8
11
  def build(section)
@@ -0,0 +1,79 @@
1
+ require 'rails_helper'
2
+
3
+ # Adapted from Rails 5 to support Rails 4.
4
+ # https://github.com/rails/rails/blob/9c35bf2a6a27431c6aa283db781c19f61c5155be/actionview/test/template/output_safety_helper_test.rb
5
+ RSpec.describe ActiveAdmin::OutputSafetyHelper, type: :view do
6
+ include described_class
7
+
8
+ before do
9
+ @string = "hello"
10
+ end
11
+
12
+ describe "to_sentence" do
13
+ it "escapes non-html_safe values" do
14
+ actual = to_sentence(%w(< > & ' "))
15
+ assert actual.html_safe?
16
+ assert_equal("&lt;, &gt;, &amp;, &#39;, and &quot;", actual)
17
+
18
+ actual = to_sentence(%w(<script>))
19
+ assert actual.html_safe?
20
+ assert_equal("&lt;script&gt;", actual)
21
+ end
22
+
23
+ it "does not double escape if single value is html_safe" do
24
+ assert_equal("&lt;script&gt;", to_sentence([ERB::Util.html_escape("<script>")]))
25
+ assert_equal("&lt;script&gt;", to_sentence(["&lt;script&gt;".html_safe]))
26
+ assert_equal("&amp;lt;script&amp;gt;", to_sentence(["&lt;script&gt;"]))
27
+ end
28
+
29
+ it "checks connector words for html safety" do
30
+ assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
31
+ assert_equal "one & two", to_sentence(["one", "two"], two_words_connector: " & ".html_safe)
32
+ assert_equal "one, two &lt;script&gt;alert(1)&lt;/script&gt; three", to_sentence(["one", "two", "three"], last_word_connector: " <script>alert(1)</script> ")
33
+ end
34
+
35
+ it "does not escape html_safe values" do
36
+ ptag = content_tag("p") do
37
+ safe_join(["<marquee>shady stuff</marquee>", tag("br")])
38
+ end
39
+ url = "https://example.com"
40
+ expected = %(<a href="#{url}">#{url}</a> and <p>&lt;marquee&gt;shady stuff&lt;/marquee&gt;<br /></p>)
41
+ actual = to_sentence([link_to(url, url), ptag])
42
+ assert actual.html_safe?
43
+ assert_equal(expected, actual)
44
+ end
45
+
46
+ it "handles blank strings" do
47
+ actual = to_sentence(["", "two", "three"])
48
+ assert actual.html_safe?
49
+ assert_equal ", two, and three", actual
50
+ end
51
+
52
+ it "handles nil values" do
53
+ actual = to_sentence([nil, "two", "three"])
54
+ assert actual.html_safe?
55
+ assert_equal ", two, and three", actual
56
+ end
57
+
58
+ it "still supports ActiveSupports Array#to_sentence arguments" do
59
+ assert_equal "one two, and three", to_sentence(["one", "two", "three"], words_connector: " ")
60
+ assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
61
+ assert_equal "onetwo, and three", to_sentence(["one", "two", "three"], words_connector: nil)
62
+ assert_equal "one, two, and also three", to_sentence(["one", "two", "three"], last_word_connector: ", and also ")
63
+ assert_equal "one, twothree", to_sentence(["one", "two", "three"], last_word_connector: nil)
64
+ assert_equal "one, two three", to_sentence(["one", "two", "three"], last_word_connector: " ")
65
+ assert_equal "one, two and three", to_sentence(["one", "two", "three"], last_word_connector: " and ")
66
+ end
67
+
68
+ it "is not affected by $," do
69
+ separator_was = $,
70
+ $, = "|"
71
+ begin
72
+ assert_equal "one and two", to_sentence(["one", "two"])
73
+ assert_equal "one, two, and three", to_sentence(["one", "two", "three"])
74
+ ensure
75
+ $, = separator_was
76
+ end
77
+ end
78
+ end
79
+ end
@@ -8,20 +8,12 @@ RSpec.describe "#pretty_format" do
8
8
  mock_action_view.send *args, &block
9
9
  end
10
10
 
11
- ['hello', 23, 5.67, 10**30, :foo].each do |obj|
11
+ ['hello', 23, 5.67, 10**30, :foo, Arbre::Element.new.br].each do |obj|
12
12
  it "should call `to_s` on #{obj.class}s" do
13
13
  expect(pretty_format(obj)).to eq obj.to_s
14
14
  end
15
15
  end
16
16
 
17
- it "normalizes Arbre elements" do
18
- expect(pretty_format(Arbre::Element.new.br)).to eq("<br>\n")
19
- end
20
-
21
- it "sanitizes Arbre elements" do
22
- expect(pretty_format(Arbre::Element.new.script('alert("foo");'))).to eq("alert(&amp;quot;foo&amp;quot;);\n")
23
- end
24
-
25
17
  shared_examples_for 'a time-ish object' do |t|
26
18
  it "formats it with the default long format" do
27
19
  expect(pretty_format(t)).to eq "February 28, 1985 20:15"
@@ -10,7 +10,6 @@ RSpec.describe ActiveAdmin::ViewHelpers::DisplayHelper do
10
10
  include ActiveAdmin::ViewHelpers::DisplayHelper
11
11
  include MethodOrProcHelper
12
12
  include ActionView::Helpers::UrlHelper
13
- include ActionView::Helpers::SanitizeHelper
14
13
  include ActionView::Helpers::TranslationHelper
15
14
  include ActionView::Helpers::SanitizeHelper
16
15
 
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: activeadmin
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Greg Bell
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-12-19 00:00:00.000000000 Z
11
+ date: 2018-01-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: arbre
@@ -494,6 +494,7 @@ files:
494
494
  - lib/active_admin/helpers/collection.rb
495
495
  - lib/active_admin/helpers/i18n.rb
496
496
  - lib/active_admin/helpers/optional_display.rb
497
+ - lib/active_admin/helpers/output_safety_helper.rb
497
498
  - lib/active_admin/helpers/routes/url_helpers.rb
498
499
  - lib/active_admin/helpers/scope_chain.rb
499
500
  - lib/active_admin/helpers/settings.rb
@@ -683,6 +684,7 @@ files:
683
684
  - spec/unit/form_builder_spec.rb
684
685
  - spec/unit/generators/install_spec.rb
685
686
  - spec/unit/helpers/collection_spec.rb
687
+ - spec/unit/helpers/output_safety_helper_spec.rb
686
688
  - spec/unit/helpers/scope_chain_spec.rb
687
689
  - spec/unit/helpers/settings_spec.rb
688
690
  - spec/unit/i18n_spec.rb
@@ -799,7 +801,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
799
801
  version: '0'
800
802
  requirements: []
801
803
  rubyforge_project:
802
- rubygems_version: 2.5.1
804
+ rubygems_version: 2.4.8
803
805
  signing_key:
804
806
  specification_version: 4
805
807
  summary: The administration framework for Ruby on Rails.
@@ -954,6 +956,7 @@ test_files:
954
956
  - spec/unit/form_builder_spec.rb
955
957
  - spec/unit/generators/install_spec.rb
956
958
  - spec/unit/helpers/collection_spec.rb
959
+ - spec/unit/helpers/output_safety_helper_spec.rb
957
960
  - spec/unit/helpers/scope_chain_spec.rb
958
961
  - spec/unit/helpers/settings_spec.rb
959
962
  - spec/unit/i18n_spec.rb