autoforme 1.9.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG +4 -0
  3. data/lib/autoforme/action.rb +2 -2
  4. data/lib/autoforme/version.rb +1 -1
  5. data/spec/associations_spec.rb +44 -0
  6. data/spec/roda_spec_helper.rb +1 -0
  7. metadata +3 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1754f8c1e90ba00be770867d9f31f44174795d39bdba0ea4b4f042cdff18412f
4
- data.tar.gz: '09cd6e1316462bdceaa7e352b846430fdc319bfcfaac0aba488ffa0b2043113c'
3
+ metadata.gz: 7d0bdcb16302f8c39805290a5f31dc4e6317aacb91eea042662d949fe5688c6f
4
+ data.tar.gz: 3e9d217d00951f5bb008d6278ec2642fb6a2f1cc2a6511d8a76cfb3f71c1a46d
5
5
  SHA512:
6
- metadata.gz: 33b535cf2f5a8b1b40300077323b68665091fce86cadc577955986baacc1bfc65b2ee74fecb3688ee453424a29e38c60876358e5b68daa11b05539f031c2620e
7
- data.tar.gz: dd05af8198487de125df170d72c3bc37c4497ebfa6d59c71d9a55285372b49fda99516640f8a4e49f06f44396ec1b731bb039350d73a9f1a7ebc320e8a10ada2
6
+ metadata.gz: 3f8701563f00846a37ad405852ef015c4c24c8634e7a5ecf2e28844fca78dee54c3b46cda1d3e7747eb40b8f5e3ed93df1c703c9c3d933cb0e7f4a8d485f592f
7
+ data.tar.gz: e54401c38c27521d6d55ac706bdd0d1867c4adf15771b38f6ce4ce364b20ff6b01715a9b37195e5e1df571de866ae91f005b085e3b4de93d492f2351b758a79b
data/CHANGELOG CHANGED
@@ -1,3 +1,7 @@
1
+ === 1.9.1 (2019-07-22)
2
+
3
+ * [SECURITY] Escape object display name when displaying association links (adam12)
4
+
1
5
  === 1.9.0 (2018-07-18)
2
6
 
3
7
  * Add support for using flash string keys in the Roda support, to work with Roda's sessions plugin (jeremyevans)
data/lib/autoforme/action.rb CHANGED
@@ -626,13 +626,13 @@ module AutoForme
626
626
  # page.
627
627
  def association_link(mc, assoc_obj)
628
628
  if mc
629
- t = mc.object_display_name(:association, request, assoc_obj)
629
+ t = h(mc.object_display_name(:association, request, assoc_obj))
630
630
  if mc.supported_action?(type, request)
631
631
  t = "<a href=\"#{base_url_for("#{mc.link}/#{type}/#{mc.primary_key_value(assoc_obj)}")}\">#{t}</a>"
632
632
  end
633
633
  t
634
634
  else
635
- model.default_object_display_name(assoc_obj)
635
+ h(model.default_object_display_name(assoc_obj))
636
636
  end
637
637
  end
638
638
 
data/lib/autoforme/version.rb CHANGED
@@ -10,7 +10,7 @@ module AutoForme
10
10
 
11
11
  # The patch version of AutoForme, updated only for bug fixes from the last
12
12
  # feature release.
13
- TINY = 0
13
+ TINY = 1
14
14
 
15
15
  # Version constant, use <tt>AutoForme.version</tt> instead.
16
16
  VERSION = "#{MAJOR}.#{MINOR}.#{TINY}".freeze
data/spec/associations_spec.rb CHANGED
@@ -51,6 +51,50 @@ describe AutoForme do
51
51
  page.all('td').map{|s| s.text}.must_equal ["Album1b", "Artist2", "Show", "Edit", "Delete"]
52
52
  end
53
53
 
54
+ it "should escape display names in association links" do
55
+ app_setup do
56
+ model Artist
57
+ model Album do
58
+ columns [:name, :artist]
59
+ end
60
+ association_links :all
61
+ end
62
+
63
+ visit("/Artist/new")
64
+ fill_in 'Name', :with=>'Art&"ist2'
65
+ click_button 'Create'
66
+
67
+ visit("/Album/new")
68
+ fill_in 'Name', :with=>'Album1'
69
+ select 'Art&"ist2'
70
+ click_button 'Create'
71
+
72
+ click_link 'Edit'
73
+ select 'Album1'
74
+ click_button 'Edit'
75
+ page.html.must_match(%r{- <a href="/Artist/edit/\d+">Art&amp;&quot;ist2})
76
+ end
77
+
78
+ it "should escape display names in association links" do
79
+ app_setup do
80
+ model Album do
81
+ columns [:name, :artist]
82
+ end
83
+ association_links :all
84
+ end
85
+
86
+ Artist.create(:name=>'Art&"ist2')
87
+ visit("/Album/new")
88
+ fill_in 'Name', :with=>'Album1'
89
+ select 'Art&"ist2'
90
+ click_button 'Create'
91
+
92
+ click_link 'Edit'
93
+ select 'Album1'
94
+ click_button 'Edit'
95
+ page.html.must_include("- Art&amp;&quot;ist2")
96
+ end
97
+
54
98
  it "should use text boxes for associated objects on new/edit/search forms if associated model uses autocompleting" do
55
99
  app_setup do
56
100
  model Artist do
data/spec/roda_spec_helper.rb CHANGED
@@ -13,6 +13,7 @@ class AutoFormeSpec::App < Roda
13
13
  opts[:unsupported_block_result] = :raise
14
14
  opts[:unsupported_matcher] = :raise
15
15
  opts[:verbatim_string_matcher] = true
16
+ opts[:check_dynamic_arity] = opts[:check_arity] = :warn
16
17
 
17
18
  LAYOUT = <<HTML
18
19
  <!DOCTYPE html>
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: autoforme
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.9.0
4
+ version: 1.9.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jeremy Evans
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-07-18 00:00:00.000000000 Z
11
+ date: 2019-07-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: forme
@@ -266,8 +266,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
266
266
  - !ruby/object:Gem::Version
267
267
  version: '0'
268
268
  requirements: []
269
- rubyforge_project:
270
- rubygems_version: 2.7.6
269
+ rubygems_version: 3.0.3
271
270
  signing_key:
272
271
  specification_version: 4
273
272
  summary: Web Administrative Console for Roda/Sinatra/Rails and Sequel::Model