autoforme 1.9.0 → 1.9.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +4 -0
  3. data/lib/autoforme/action.rb +2 -2
  4. data/lib/autoforme/version.rb +1 -1
  5. data/spec/associations_spec.rb +44 -0
  6. data/spec/roda_spec_helper.rb +1 -0
  7. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1754f8c1e90ba00be770867d9f31f44174795d39bdba0ea4b4f042cdff18412f
4
- data.tar.gz: '09cd6e1316462bdceaa7e352b846430fdc319bfcfaac0aba488ffa0b2043113c'
3
+ metadata.gz: 7d0bdcb16302f8c39805290a5f31dc4e6317aacb91eea042662d949fe5688c6f
4
+ data.tar.gz: 3e9d217d00951f5bb008d6278ec2642fb6a2f1cc2a6511d8a76cfb3f71c1a46d
5
5
  SHA512:
6
- metadata.gz: 33b535cf2f5a8b1b40300077323b68665091fce86cadc577955986baacc1bfc65b2ee74fecb3688ee453424a29e38c60876358e5b68daa11b05539f031c2620e
7
- data.tar.gz: dd05af8198487de125df170d72c3bc37c4497ebfa6d59c71d9a55285372b49fda99516640f8a4e49f06f44396ec1b731bb039350d73a9f1a7ebc320e8a10ada2
6
+ metadata.gz: 3f8701563f00846a37ad405852ef015c4c24c8634e7a5ecf2e28844fca78dee54c3b46cda1d3e7747eb40b8f5e3ed93df1c703c9c3d933cb0e7f4a8d485f592f
7
+ data.tar.gz: e54401c38c27521d6d55ac706bdd0d1867c4adf15771b38f6ce4ce364b20ff6b01715a9b37195e5e1df571de866ae91f005b085e3b4de93d492f2351b758a79b
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ === 1.9.1 (2019-07-22)
2
+
3
+ * [SECURITY] Escape object display name when displaying association links (adam12)
4
+
1
5
  === 1.9.0 (2018-07-18)
2
6
 
3
7
  * Add support for using flash string keys in the Roda support, to work with Roda's sessions plugin (jeremyevans)
data/lib/autoforme/action.rb CHANGED
@@ -626,13 +626,13 @@ module AutoForme
626
626
  # page.
627
627
  def association_link(mc, assoc_obj)
628
628
  if mc
629
- t = mc.object_display_name(:association, request, assoc_obj)
629
+ t = h(mc.object_display_name(:association, request, assoc_obj))
630
630
  if mc.supported_action?(type, request)
631
631
  t = "<a href=\"#{base_url_for("#{mc.link}/#{type}/#{mc.primary_key_value(assoc_obj)}")}\">#{t}</a>"
632
632
  end
633
633
  t
634
634
  else
635
- model.default_object_display_name(assoc_obj)
635
+ h(model.default_object_display_name(assoc_obj))
636
636
  end
637
637
  end
638
638
 
data/lib/autoforme/version.rb CHANGED
@@ -10,7 +10,7 @@ module AutoForme
10
10
 
11
11
  # The patch version of AutoForme, updated only for bug fixes from the last
12
12
  # feature release.
13
- TINY = 0
13
+ TINY = 1
14
14
 
15
15
  # Version constant, use <tt>AutoForme.version</tt> instead.
16
16
  VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze
data/spec/associations_spec.rb CHANGED
@@ -51,6 +51,50 @@ describe AutoForme do
51
51
  page.all('td').map{|s| s.text}.must_equal ["Album1b", "Artist2", "Show", "Edit", "Delete"]
52
52
  end
53
53
 
54
+ it "should escape display names in association links" do
55
+ app_setup do
56
+ model Artist
57
+ model Album do
58
+ columns [:name, :artist]
59
+ end
60
+ association_links :all
61
+ end
62
+
63
+ visit("/Artist/new")
64
+ fill_in 'Name', :with=>'Art&"ist2'
65
+ click_button 'Create'
66
+
67
+ visit("/Album/new")
68
+ fill_in 'Name', :with=>'Album1'
69
+ select 'Art&"ist2'
70
+ click_button 'Create'
71
+
72
+ click_link 'Edit'
73
+ select 'Album1'
74
+ click_button 'Edit'
75
+ page.html.must_match(%r{- <a href="/Artist/edit/\d+">Art&amp;&quot;ist2})
76
+ end
77
+
78
+ it "should escape display names in association links" do
79
+ app_setup do
80
+ model Album do
81
+ columns [:name, :artist]
82
+ end
83
+ association_links :all
84
+ end
85
+
86
+ Artist.create(:name=>'Art&"ist2')
87
+ visit("/Album/new")
88
+ fill_in 'Name', :with=>'Album1'
89
+ select 'Art&"ist2'
90
+ click_button 'Create'
91
+
92
+ click_link 'Edit'
93
+ select 'Album1'
94
+ click_button 'Edit'
95
+ page.html.must_include("- Art&amp;&quot;ist2")
96
+ end
97
+
54
98
  it "should use text boxes for associated objects on new/edit/search forms if associated model uses autocompleting" do
55
99
  app_setup do
56
100
  model Artist do
data/spec/roda_spec_helper.rb CHANGED
@@ -13,6 +13,7 @@ class AutoFormeSpec::App < Roda
13
13
  opts[:unsupported_block_result] = :raise
14
14
  opts[:unsupported_matcher] = :raise
15
15
  opts[:verbatim_string_matcher] = true
16
+ opts[:check_dynamic_arity] = opts[:check_arity] = :warn
16
17
 
17
18
  LAYOUT = <<HTML
18
19
  <!DOCTYPE html>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: autoforme
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.0
4
+ version: 1.9.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-07-18 00:00:00.000000000 Z
11
+ date: 2019-07-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: forme
@@ -266,8 +266,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
266
266
  - !ruby/object:Gem::Version
267
267
  version: '0'
268
268
  requirements: []
269
- rubyforge_project:
270
- rubygems_version: 2.7.6
269
+ rubygems_version: 3.0.3
271
270
  signing_key:
272
271
  specification_version: 4
273
272
  summary: Web Administrative Console for Roda/Sinatra/Rails and Sequel::Model