activeadmin 1.2.0 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of activeadmin might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +7 -1
- data/features/index/filters.feature +1 -1
- data/lib/active_admin/filters/active_sidebar.rb +1 -1
- data/lib/active_admin/helpers/output_safety_helper.rb +35 -0
- data/lib/active_admin/version.rb +1 -1
- data/lib/active_admin/view_helpers/display_helper.rb +1 -1
- data/lib/active_admin/views/components/sidebar_section.rb +3 -0
- data/spec/unit/helpers/output_safety_helper_spec.rb +79 -0
- data/spec/unit/pretty_format_spec.rb +1 -9
- data/spec/unit/view_helpers/display_helper_spec.rb +0 -1
- metadata +6 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 168e2543c7194997fc761400f0c846da32cf6efc
|
|
4
|
+
data.tar.gz: e329bd016b402f20b119611a16b7753417d28225
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9001bf292733c65ea736a38e728c4fc4c9ccf0179fdd2dc99bb19f1e2c7007f40b5693c67fead61a55dd5187fa09979f31fe868ec79d6f060b881e6f9d46d636
|
|
7
|
+
data.tar.gz: a0251c53c84b1beea54c3a7f880a8c1349e9f7643f7d3b1cf4293e2800b76d6f6951b63fbe0b9f79eb66e18c1700390c92032c80523e22ccedf5288e306a3caa
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.2.1 [☰](https://github.com/activeadmin/activeadmin/compare/v1.2.0...v1.2.1)
|
|
4
|
+
|
|
5
|
+
### Bug Fixes
|
|
6
|
+
|
|
7
|
+
* Resolve issue with [#5275][] preventing XSS in filters sidebar [#5299][] by [@faucct][].
|
|
8
|
+
|
|
3
9
|
## 1.2.0 [☰](https://github.com/activeadmin/activeadmin/compare/v1.1.0...v1.2.0)
|
|
4
10
|
|
|
5
11
|
### Enhancements
|
|
@@ -25,7 +31,7 @@
|
|
|
25
31
|
* Fix a couple of issues rendering filter labels [#5223][] by [@wspurgin][]
|
|
26
32
|
* Prevent NameError when filtering on a namespaced association [#5240][] by [@DanielHeath][]
|
|
27
33
|
* Fix undefined method error in Ransack when building filters [#5238][] by [@wspurgin][]
|
|
28
|
-
* Fixed [#5198][] Prevent XSS on sidebar's current filter rendering [#
|
|
34
|
+
* Fixed [#5198][] Prevent XSS on sidebar's current filter rendering [#5275][] by [@deivid-rodriguez][].
|
|
29
35
|
* Sanitize display_name [#5284][] by [@markstory][].
|
|
30
36
|
|
|
31
37
|
## 1.1.0 [☰](https://github.com/activeadmin/activeadmin/compare/v1.0.0...v1.1.0)
|
|
@@ -32,7 +32,7 @@ Feature: Index Filtering
|
|
|
32
32
|
"""
|
|
33
33
|
When I fill in "Title" with "<script>alert('hax')</script>"
|
|
34
34
|
And I press "Filter"
|
|
35
|
-
Then I should see current filter "title_contains" equal to "alert('hax')" with label "Title contains"
|
|
35
|
+
Then I should see current filter "title_contains" equal to "<script>alert('hax')</script>" with label "Title contains"
|
|
36
36
|
|
|
37
37
|
Scenario: Filtering posts with no results
|
|
38
38
|
Given 3 posts exist
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
module ActiveAdmin
|
|
2
|
+
module OutputSafetyHelper
|
|
3
|
+
# Converts the array to a comma-separated sentence where the last element is
|
|
4
|
+
# joined by the connector word. This is the html_safe-aware version of
|
|
5
|
+
# ActiveSupport's {Array#to_sentence}[http://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
|
|
6
|
+
#
|
|
7
|
+
# Copied from Rails 5 to support Rails 4.
|
|
8
|
+
# https://github.com/rails/rails/blob/9c35bf2a6a27431c6aa283db781c19f61c5155be/actionview/lib/action_view/helpers/output_safety_helper.rb#L43
|
|
9
|
+
def to_sentence(array, options = {})
|
|
10
|
+
options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
|
|
11
|
+
|
|
12
|
+
default_connectors = {
|
|
13
|
+
words_connector: ", ",
|
|
14
|
+
two_words_connector: " and ",
|
|
15
|
+
last_word_connector: ", and "
|
|
16
|
+
}
|
|
17
|
+
if defined?(::I18n)
|
|
18
|
+
i18n_connectors = ::I18n.translate(:'support.array', locale: options[:locale], default: {})
|
|
19
|
+
default_connectors.merge!(i18n_connectors)
|
|
20
|
+
end
|
|
21
|
+
options = default_connectors.merge!(options)
|
|
22
|
+
|
|
23
|
+
case array.length
|
|
24
|
+
when 0
|
|
25
|
+
"".html_safe
|
|
26
|
+
when 1
|
|
27
|
+
ERB::Util.html_escape(array[0])
|
|
28
|
+
when 2
|
|
29
|
+
safe_join([array[0], array[1]], options[:two_words_connector])
|
|
30
|
+
else
|
|
31
|
+
safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
data/lib/active_admin/version.rb
CHANGED
|
@@ -1,8 +1,11 @@
|
|
|
1
|
+
require 'active_admin/helpers/output_safety_helper'
|
|
2
|
+
|
|
1
3
|
module ActiveAdmin
|
|
2
4
|
module Views
|
|
3
5
|
|
|
4
6
|
class SidebarSection < Panel
|
|
5
7
|
builder_method :sidebar_section
|
|
8
|
+
include OutputSafetyHelper
|
|
6
9
|
|
|
7
10
|
# Takes a ActiveAdmin::SidebarSection instance
|
|
8
11
|
def build(section)
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
require 'rails_helper'
|
|
2
|
+
|
|
3
|
+
# Adapted from Rails 5 to support Rails 4.
|
|
4
|
+
# https://github.com/rails/rails/blob/9c35bf2a6a27431c6aa283db781c19f61c5155be/actionview/test/template/output_safety_helper_test.rb
|
|
5
|
+
RSpec.describe ActiveAdmin::OutputSafetyHelper, type: :view do
|
|
6
|
+
include described_class
|
|
7
|
+
|
|
8
|
+
before do
|
|
9
|
+
@string = "hello"
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
describe "to_sentence" do
|
|
13
|
+
it "escapes non-html_safe values" do
|
|
14
|
+
actual = to_sentence(%w(< > & ' "))
|
|
15
|
+
assert actual.html_safe?
|
|
16
|
+
assert_equal("<, >, &, ', and "", actual)
|
|
17
|
+
|
|
18
|
+
actual = to_sentence(%w(<script>))
|
|
19
|
+
assert actual.html_safe?
|
|
20
|
+
assert_equal("<script>", actual)
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
it "does not double escape if single value is html_safe" do
|
|
24
|
+
assert_equal("<script>", to_sentence([ERB::Util.html_escape("<script>")]))
|
|
25
|
+
assert_equal("<script>", to_sentence(["<script>".html_safe]))
|
|
26
|
+
assert_equal("&lt;script&gt;", to_sentence(["<script>"]))
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "checks connector words for html safety" do
|
|
30
|
+
assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
|
|
31
|
+
assert_equal "one & two", to_sentence(["one", "two"], two_words_connector: " & ".html_safe)
|
|
32
|
+
assert_equal "one, two <script>alert(1)</script> three", to_sentence(["one", "two", "three"], last_word_connector: " <script>alert(1)</script> ")
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
it "does not escape html_safe values" do
|
|
36
|
+
ptag = content_tag("p") do
|
|
37
|
+
safe_join(["<marquee>shady stuff</marquee>", tag("br")])
|
|
38
|
+
end
|
|
39
|
+
url = "https://example.com"
|
|
40
|
+
expected = %(<a href="#{url}">#{url}</a> and <p><marquee>shady stuff</marquee><br /></p>)
|
|
41
|
+
actual = to_sentence([link_to(url, url), ptag])
|
|
42
|
+
assert actual.html_safe?
|
|
43
|
+
assert_equal(expected, actual)
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
it "handles blank strings" do
|
|
47
|
+
actual = to_sentence(["", "two", "three"])
|
|
48
|
+
assert actual.html_safe?
|
|
49
|
+
assert_equal ", two, and three", actual
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
it "handles nil values" do
|
|
53
|
+
actual = to_sentence([nil, "two", "three"])
|
|
54
|
+
assert actual.html_safe?
|
|
55
|
+
assert_equal ", two, and three", actual
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
it "still supports ActiveSupports Array#to_sentence arguments" do
|
|
59
|
+
assert_equal "one two, and three", to_sentence(["one", "two", "three"], words_connector: " ")
|
|
60
|
+
assert_equal "one & two, and three", to_sentence(["one", "two", "three"], words_connector: " & ".html_safe)
|
|
61
|
+
assert_equal "onetwo, and three", to_sentence(["one", "two", "three"], words_connector: nil)
|
|
62
|
+
assert_equal "one, two, and also three", to_sentence(["one", "two", "three"], last_word_connector: ", and also ")
|
|
63
|
+
assert_equal "one, twothree", to_sentence(["one", "two", "three"], last_word_connector: nil)
|
|
64
|
+
assert_equal "one, two three", to_sentence(["one", "two", "three"], last_word_connector: " ")
|
|
65
|
+
assert_equal "one, two and three", to_sentence(["one", "two", "three"], last_word_connector: " and ")
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
it "is not affected by $," do
|
|
69
|
+
separator_was = $,
|
|
70
|
+
$, = "|"
|
|
71
|
+
begin
|
|
72
|
+
assert_equal "one and two", to_sentence(["one", "two"])
|
|
73
|
+
assert_equal "one, two, and three", to_sentence(["one", "two", "three"])
|
|
74
|
+
ensure
|
|
75
|
+
$, = separator_was
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
@@ -8,20 +8,12 @@ RSpec.describe "#pretty_format" do
|
|
|
8
8
|
mock_action_view.send *args, &block
|
|
9
9
|
end
|
|
10
10
|
|
|
11
|
-
['hello', 23, 5.67, 10**30, :foo].each do |obj|
|
|
11
|
+
['hello', 23, 5.67, 10**30, :foo, Arbre::Element.new.br].each do |obj|
|
|
12
12
|
it "should call `to_s` on #{obj.class}s" do
|
|
13
13
|
expect(pretty_format(obj)).to eq obj.to_s
|
|
14
14
|
end
|
|
15
15
|
end
|
|
16
16
|
|
|
17
|
-
it "normalizes Arbre elements" do
|
|
18
|
-
expect(pretty_format(Arbre::Element.new.br)).to eq("<br>\n")
|
|
19
|
-
end
|
|
20
|
-
|
|
21
|
-
it "sanitizes Arbre elements" do
|
|
22
|
-
expect(pretty_format(Arbre::Element.new.script('alert("foo");'))).to eq("alert(&quot;foo&quot;);\n")
|
|
23
|
-
end
|
|
24
|
-
|
|
25
17
|
shared_examples_for 'a time-ish object' do |t|
|
|
26
18
|
it "formats it with the default long format" do
|
|
27
19
|
expect(pretty_format(t)).to eq "February 28, 1985 20:15"
|
|
@@ -10,7 +10,6 @@ RSpec.describe ActiveAdmin::ViewHelpers::DisplayHelper do
|
|
|
10
10
|
include ActiveAdmin::ViewHelpers::DisplayHelper
|
|
11
11
|
include MethodOrProcHelper
|
|
12
12
|
include ActionView::Helpers::UrlHelper
|
|
13
|
-
include ActionView::Helpers::SanitizeHelper
|
|
14
13
|
include ActionView::Helpers::TranslationHelper
|
|
15
14
|
include ActionView::Helpers::SanitizeHelper
|
|
16
15
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: activeadmin
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.2.
|
|
4
|
+
version: 1.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Greg Bell
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-01-10 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: arbre
|
|
@@ -494,6 +494,7 @@ files:
|
|
|
494
494
|
- lib/active_admin/helpers/collection.rb
|
|
495
495
|
- lib/active_admin/helpers/i18n.rb
|
|
496
496
|
- lib/active_admin/helpers/optional_display.rb
|
|
497
|
+
- lib/active_admin/helpers/output_safety_helper.rb
|
|
497
498
|
- lib/active_admin/helpers/routes/url_helpers.rb
|
|
498
499
|
- lib/active_admin/helpers/scope_chain.rb
|
|
499
500
|
- lib/active_admin/helpers/settings.rb
|
|
@@ -683,6 +684,7 @@ files:
|
|
|
683
684
|
- spec/unit/form_builder_spec.rb
|
|
684
685
|
- spec/unit/generators/install_spec.rb
|
|
685
686
|
- spec/unit/helpers/collection_spec.rb
|
|
687
|
+
- spec/unit/helpers/output_safety_helper_spec.rb
|
|
686
688
|
- spec/unit/helpers/scope_chain_spec.rb
|
|
687
689
|
- spec/unit/helpers/settings_spec.rb
|
|
688
690
|
- spec/unit/i18n_spec.rb
|
|
@@ -799,7 +801,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
799
801
|
version: '0'
|
|
800
802
|
requirements: []
|
|
801
803
|
rubyforge_project:
|
|
802
|
-
rubygems_version: 2.
|
|
804
|
+
rubygems_version: 2.4.8
|
|
803
805
|
signing_key:
|
|
804
806
|
specification_version: 4
|
|
805
807
|
summary: The administration framework for Ruby on Rails.
|
|
@@ -954,6 +956,7 @@ test_files:
|
|
|
954
956
|
- spec/unit/form_builder_spec.rb
|
|
955
957
|
- spec/unit/generators/install_spec.rb
|
|
956
958
|
- spec/unit/helpers/collection_spec.rb
|
|
959
|
+
- spec/unit/helpers/output_safety_helper_spec.rb
|
|
957
960
|
- spec/unit/helpers/scope_chain_spec.rb
|
|
958
961
|
- spec/unit/helpers/settings_spec.rb
|
|
959
962
|
- spec/unit/i18n_spec.rb
|