fat_free_crm 0.13.3 → 0.13.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 089cba96c9cf2b8ab9d2a17626ae94aea174ff9e
-  data.tar.gz: 9a9df66587b314e1a1528cdb1caa3194b322daf5
+  metadata.gz: f1f47a58276803b794edae1b70657bb629208c40
+  data.tar.gz: 18d5955737c8fde5c65eba581eb2ce35c91ba284
 SHA512:
-  metadata.gz: d4bb5866abc952faf4918634fe2f4a032d489033edc196c13fb6f067089bbca21e4bd6176c6537a019716fad76c374a869912230d4f9a9f980ac3e5ccf891930
-  data.tar.gz: b792646fb77c2d41d3bc990584b94b54a784f9ba753bfe174101c95710e8887b21cf37b8b527e2b3589717f3ca37bdd8569b3a783198c4a7507ca15017824937
+  metadata.gz: 1f56e47132c12f361e4c8ea6bc2443e77ba52992cca4b7e21c8a4fd28044b0a5a111903bce7254596f9227929ee9e05bc155a4a6e7ab852b825c81ddb08f841d
+  data.tar.gz: a192fe3b3898da36d3dcc624909c835b276208c4afd7533940027fdd84d5a30bf3117583334884b01052a3fe0f0ca9926b2f700a25ea31c549b0f546b2b6a524

data/Gemfile.lock

@@ -199,6 +199,8 @@ GEM
     rails_12factor (0.0.2)
       rails_serve_static_assets
       rails_stdout_logging
+    rails_autolink (1.1.6)
+      rails (> 3.1)
     rails_serve_static_assets (0.0.2)
     rails_stdout_logging (0.0.3)
     railties (3.2.19)
@@ -251,7 +253,7 @@ GEM
       rspec-expectations (~> 2.99.0)
       rspec-mocks (~> 2.99.0)
     rubyzip (1.1.6)
-    sass (3.4.0)
+    sass (3.4.1)
     sass-rails (3.2.6)
       railties (~> 3.2.0)
       sass (>= 3.1.10)
@@ -356,6 +358,7 @@ DEPENDENCIES
   rails (~> 3.2.12)
   rails3-jquery-autocomplete
   rails_12factor
+  rails_autolink
   ransack (= 1.1.0)
   ransack_ui (>= 1.1.0)
   rb-fchange

data/app/helpers/accounts_helper.rb

@@ -46,16 +46,16 @@ module AccountsHelper
 
       content_tag(:span, :id => 'account_create_title') do
         "(#{t :create_new} #{t :or} <a href='#' onclick='crm.select_account(); return false;'>#{t :select_existing}</a>):".html_safe
-      end.html_safe +
+      end +
 
       content_tag(:span, :id => 'account_select_title') do
         "(<a href='#' onclick='crm.create_account(); return false;'>#{t :create_new}</a> #{t :or} #{t :select_existing}):".html_safe
-      end.html_safe +
+      end +
 
-      content_tag(:span, ':', :id => 'account_disabled_title').html_safe
-    end.html_safe +
+      content_tag(:span, ':', :id => 'account_disabled_title')
+    end +
 
-    account_select(options).html_safe +
+    account_select(options) +
     form.text_field(:name, :style => 'width:324px; display:none;')
   end
 
@@ -72,7 +72,7 @@ module AccountsHelper
   def account_with_title_and_department(contact)
     text = if !contact.title.blank? && contact.account
         # works_at: "{{h(job_title)}} at {{h(company)}}"
-        content_tag :div, t(:works_at, :job_title => h(contact.title), :company => account_with_url_for(contact)).html_safe
+        content_tag :div, t(:works_at, :job_title => h(contact.title), :company => h(account_with_url_for(contact))).html_safe
       elsif !contact.title.blank?
         content_tag :div, h(contact.title)
       elsif contact.account

data/app/helpers/admin/field_groups_helper.rb

@@ -5,9 +5,11 @@
 #------------------------------------------------------------------------------
 module Admin::FieldGroupsHelper
 
+  include ::ERB::Util
+
   def field_group_subtitle(field_group)
     asset = field_group.klass_name.downcase
-    html = t(field_group.name, :default => field_group.label)
+    html = t(field_group.name, :default => h(field_group.label)).html_safe
     html << content_tag(:small, :id => "#{asset}_field_group_#{field_group.id}_intro") do
       if field_group.tag_id
         t(:field_group_tag_restriction, :assets => asset.pluralize, :tag => field_group.tag.try(:name))
@@ -15,7 +17,7 @@ module Admin::FieldGroupsHelper
         t(:field_group_unrestricted, :assets => asset.pluralize)
       end
     end
-    html.html_safe
+    html
   end
 
   def link_to_confirm(field_group)

data/app/helpers/application_helper.rb

@@ -37,7 +37,7 @@ module ApplicationHelper
   #----------------------------------------------------------------------------
   def subtitle(id, hidden = true, text = id.to_s.split("_").last.capitalize)
     content_tag("div",
-      link_to("<small>#{ hidden ? "&#9658;" : "&#9660;" }</small> #{text}".html_safe,
+      link_to("<small>#{ hidden ? "&#9658;" : "&#9660;" }</small> #{sanitize text}".html_safe,
         url_for(:controller => :home, :action => :toggle, :id => id),
         :remote => true,
         :onclick => "crm.flip_subtitle(this)"
@@ -109,7 +109,7 @@ module ApplicationHelper
     link_to(t(:edit),
       options[:url] || polymorphic_url(record, :action => :edit),
       :remote  => true,
-      :onclick => "this.href = this.href.split('?')[0] + '?previous='+crm.find_form('edit_#{name}');".html_safe
+      :onclick => "this.href = this.href.split('?')[0] + '?previous='+crm.find_form('edit_#{h name}');".html_safe
     )
   end
 
@@ -211,7 +211,7 @@ module ApplicationHelper
 
   #----------------------------------------------------------------------------
   def confirm_delete(model, params = {})
-    question = %(<span class="warn">#{t(:confirm_delete, model.class.to_s.downcase)}</span>).html_safe
+    question = %(<span class="warn">#{t(:confirm_delete, model.class.to_s.downcase)}</span>)
     yes = link_to(t(:yes_button), params[:url] || model, :method => :delete)
     no = link_to_function(t(:no_button), "$('#menu').html($('#confirm').html());")
     text = "$('#confirm').html( $('#menu').html() );\n"
@@ -250,7 +250,7 @@ module ApplicationHelper
         else
           url = "http://" << url unless url.match(/^https?:\/\//)
         end
-        link_to(image_tag("#{site}.gif", :size => "15x15"), url, :"data-popup" => true, :title => t(:open_in_window, url))
+        link_to(image_tag("#{site}.gif", :size => "15x15"), h(url), :"data-popup" => true, :title => t(:open_in_window, h(url)))
       end
     end.compact.join("\n").html_safe
   end
@@ -392,11 +392,11 @@ module ApplicationHelper
     onclick = %Q{
       var query = $('#query').val(),
           values = [];
-      $('input[name=&quot;#{name}[]&quot;]').filter(':checked').each(function () {
+      $('input[name=&quot;#{h name}[]&quot;]').filter(':checked').each(function () {
         values.push(this.value);
       });
       $('#loading').show();
-      $.post('#{url}', {#{name}: values.join(','), query: query}, function () {
+      $.post('#{url}', {#{h name}: values.join(','), query: query}, function () {
         $('#loading').hide();
       });
     }.html_safe
@@ -413,8 +413,8 @@ module ApplicationHelper
       else
         fmt_value.gsub(/((http|ftp|https):\/\/[\w\-_]+(\.[\w\-_]+)+([\w\-\.,@?^=%&amp;:\/\+#]*[\w\-\@?^=%&amp;\/\+#])?)/, "<a href=\"\\1\">\\1</a>")
       end
-    %Q^<th#{last ? " class=\"last\"" : ""}>#{title}:</th>
-  <td#{last ? " class=\"last\"" : ""}>#{fmt_value}</td>^.html_safe
+    last_class = (last ? 'last' : nil)
+    content_tag(:th, title, class: last_class) + content_tag(:td, fmt_value, class: last_class)
   end
 
   #----------------------------------------------------------------------------
@@ -422,7 +422,7 @@ module ApplicationHelper
   def section_title(id, hidden = true, text = nil, info_text = nil)
     text = id.to_s.split("_").last.capitalize if text == nil
     content_tag("div", :class => "subtitle show_attributes") do
-      content = link_to("<small>#{ hidden ? "&#9658;" : "&#9660;" }</small> #{text}".html_safe,
+      content = link_to("<small>#{ hidden ? "&#9658;" : "&#9660;" }</small> #{sanitize text}".html_safe,
         url_for(:controller => :home, :action => :toggle, :id => id),
         :remote  => true,
         :onclick => "crm.flip_subtitle(this)"
@@ -455,21 +455,23 @@ module ApplicationHelper
     action = (params['action'] == 'show') ? 'show' : 'index' # create update redraw filter index actions all use index view
     views = FatFreeCRM::ViewFactory.views_for(:controller => controller, :action => action)
     return nil unless views.size > 1
+    lis = ''.html_safe
     content_tag :ul, :class => 'format-buttons' do
       views.collect do |view|
         classes = if (current_view_name == view.name) or (current_view_name == nil and view.template == nil) # nil indicates default template.
-            "#{view.name}-button active"
+            "#{h view.name}-button active"
           else
-            "#{view.name}-button"
+            "#{h view.name}-button"
           end
-        content_tag(:li) do
+        lis << content_tag(:li) do
           url = (action == "index") ? send("redraw_#{controller}_path") : send("#{controller.singularize}_path")
-          link_to('#', :title => t(view.name, :default => view.title), :"data-view" => view.name, :"data-url" => url, :"data-context" => action, :class => classes) do
+          link_to('#', :title => t(view.name, :default => h(view.title)), :"data-view" => h(view.name), :"data-url" => h(url), :"data-context" => action, :class => classes) do
             icon = view.icon || 'fa-bars'
-            content_tag(:i, nil, class: "fa #{icon}")
+            content_tag(:i, nil, class: "fa #{h icon}")
           end
         end
-      end.join('').html_safe
+      end
+      lis
     end
   end
 
@@ -478,7 +480,7 @@ module ApplicationHelper
   # <span class="timeago" datetime="2008-07-17T09:24:17Z">July 17, 2008</span>
   def timeago(time, options = {})
     options[:class] ||= "timeago"
-    content_tag(:span, time.to_s, options.merge( title: time.getutc.iso8601)) if time
+    content_tag(:span, h(time.to_s), options.merge( title: time.getutc.iso8601)) if time
   end
 
   #----------------------------------------------------------------------------

data/app/helpers/comments_helper.rb

@@ -5,12 +5,6 @@
 #------------------------------------------------------------------------------
 module CommentsHelper
 
-  # Generates a list of links for the subscribed users
-  def subscribed_user_links(users)
-    links = users.map {|user| link_to(user.full_name, user_path(user)) }
-    links.join(", ").html_safe
-  end
-
   def notification_emails_configured?
     config = Setting.email_comment_replies || {}
     config[:server].present? && config[:user].present? && config[:password].present?

data/app/helpers/home_helper.rb

@@ -27,7 +27,7 @@ module HomeHelper
   #----------------------------------------------------------------------------
   def sort_by_users
     users = [[ "all_users", t(:option_all_users) ]] + @all_users.map do |user|
-      escaped = escape_javascript(user.full_name)
+      escaped = sanitize(user.full_name)
       [ escaped, escaped ]
     end
 

data/app/helpers/tags_helper.rb

@@ -25,7 +25,7 @@ module TagsHelper
       model.tags.each do |tag|
         concat(content_tag(:li, tag.name))
       end
-    end.html_safe
+    end
   end
 
 end

data/app/helpers/tasks_helper.rb

@@ -86,7 +86,7 @@ module TasksHelper
 
   #----------------------------------------------------------------------------
   def hide_task_and_possibly_bucket(task, bucket)
-    text = "$('##{dom_id(task)}').remove();\n"
+    text = "$('##{h dom_id(task)}').remove();\n"
     text << "$('#list_#{h bucket.to_s}').fadeOut({ duration:500 });\n" if Task.bucket_empty?(bucket, current_user, @view)
     text.html_safe
   end
@@ -100,16 +100,16 @@ module TasksHelper
 
   #----------------------------------------------------------------------------
   def insert_content(task, bucket, view)
-    text = "$('#list_#{bucket}').show();\n".html_safe
+    text = "$('#list_#{bucket}').show();\n"
     html = render(:partial => view, :collection => [ task ], :locals => { :bucket => bucket })
-    text << "$('##{h bucket.to_s}').prepend('#{ j html }');\n".html_safe
-    text << "$('##{dom_id(task)}').effect('highlight', { duration:1500 });\n".html_safe
-    text
+    text << "$('##{h bucket.to_s}').prepend('#{ j html }');\n"
+    text << "$('##{dom_id(task)}').effect('highlight', { duration:1500 });\n"
+    text.html_safe
   end
 
   #----------------------------------------------------------------------------
   def tasks_flash(message)
-    text = "$('#flash').html('#{ message }');\n"
+    text = "$('#flash').html('#{ sanitize(message) }');\n"
     text << "crm.flash('notice', true)\n"
     text.html_safe
   end

data/app/mailers/subscription_mailer.rb

@@ -3,6 +3,7 @@
 # Fat Free CRM is freely distributable under the terms of MIT license.
 # See MIT-LICENSE file or http://www.opensource.org/licenses/mit-license.php
 #------------------------------------------------------------------------------
+
 class SubscriptionMailer < ActionMailer::Base
 
   def comment_notification(user, comment)

data/app/models/polymorphic/email.rb

@@ -41,9 +41,9 @@ class Email < ActiveRecord::Base
 
   def body_with_textile
     if defined?(RedCloth)
-      RedCloth.new(body_without_textile).to_html.html_safe
+      RedCloth.new(body_without_textile).to_html
     else
-      body_without_textile.to_s.gsub("\n", "<br/>").html_safe
+      body_without_textile.to_s.gsub("\n", "<br/>")
     end
   end
   alias_method_chain :body, :textile

data/app/models/polymorphic/task.rb

@@ -63,7 +63,7 @@ class Task < ActiveRecord::Base
     where('user_id = ? OR assigned_to = ?', user.id, user.id)
   }
 
-  # Show opportunities which either belong to the user and are unassigned, or are assigned to the user
+  # Show tasks which either belong to the user and are unassigned, or are assigned to the user
   scope :visible_on_dashboard, ->(user) {
     where('(user_id = :user_id AND assigned_to IS NULL) OR assigned_to = :user_id', :user_id => user.id).where('completed_at IS NULL')
   }

data/app/views/accounts/_edit.html.haml

@@ -10,7 +10,7 @@
     = render "accounts/contact_info", :f => f, :edit => true
     = render "fields/groups",         :f => f, :edit => true
     = render "entities/permissions",  :f => f, :edit => true, :entity => @account
-    = hook(:entity_form, self, {f: f, entity: @account}) {}
+    = hook(:entity_form, self, {f: f, entity: @account})
 
     .buttonbar
       - if Setting.compound_address

data/app/views/accounts/_index_brief.html.haml

@@ -6,7 +6,7 @@
     .strip{:style => "color: gray;"} #{t :other}
 
   %ul.tools
-    = hook(:account_tools_before, self, :account => account) {}
+    = hook(:account_tools_before, self, :account => account)
 
     - if can?(:update, account)
       %li= link_to_edit(account)
@@ -29,4 +29,4 @@
       = t('pluralize.contact', account.contacts.count) << " | "
       = t('pluralize.opportunity', account.opportunities.count)
 
-    = hook(:account_bottom, self, :account => account) {}
+    = hook(:account_bottom, self, :account => account)

data/app/views/accounts/_index_long.html.haml

@@ -6,7 +6,7 @@
     .strip{:style => "color: gray;"} #{t :other}
 
   %ul.tools
-    = hook(:account_tools_before, self, :account => account) {}
+    = hook(:account_tools_before, self, :account => account)
 
     - if can?(:update, account)
       %li= link_to_edit(account)
@@ -39,4 +39,4 @@
       %dt
         .tags= tags_for_index(account)
 
-    = hook(:account_bottom, self, :account => account) {}
+    = hook(:account_bottom, self, :account => account)

data/app/views/accounts/_new.html.haml

@@ -10,7 +10,7 @@
   = render "accounts/contact_info", :f => f
   = render "fields/groups",  :f => f
   = render "entities/permissions",  :f => f, :entity => @account
-  = hook(:entity_form, self, {f: f, entity: @account}) {}
+  = hook(:entity_form, self, {f: f, entity: @account})
 
   .buttonbar
     - if Setting.compound_address

data/app/views/accounts/_sidebar_index.html.haml

@@ -17,4 +17,4 @@
     %div{:style => "float:right;"}
       %b= @account_category_total[:all]
     %b #{t :total_accounts}
-  = hook(:index_account_sidebar_bottom, self) {}
+  = hook(:index_account_sidebar_bottom, self)

data/app/views/accounts/_sidebar_show.html.haml

@@ -46,7 +46,7 @@
 
   - unless @account.background_info.blank?
     .caption #{t :background_info}
-    = auto_link(simple_format @account.background_info).html_safe
+    = auto_link(simple_format @account.background_info)
 
   = render "fields/sidebar_show", :asset => @account
 
@@ -54,4 +54,4 @@
     %dt
       .tags= tags_for_index(@account)
 
-  = hook(:show_account_sidebar_bottom, self, :account => @account) {}
+  = hook(:show_account_sidebar_bottom, self, :account => @account)

data/app/views/accounts/_top_section.html.haml

@@ -26,4 +26,4 @@
 
       = render :partial => "/shared/tags", :locals => {:f => f, :span => 3}
 
-      = hook(:account_top_section_bottom, self, :f => f) {}
+      = hook(:account_top_section_bottom, self, :f => f)

data/app/views/accounts/update.js.haml

@@ -16,4 +16,4 @@
   $('##{id}').effect("shake", { duration:250, distance: 6 });
   $('##{dom_id(@entity, :edit)} input[type!=hidden]').first().focus();
 
-= hook(:entity_update, self, {entity: @entity}) {}
+= hook(:entity_update, self, {entity: @entity})

data/app/views/admin/fields/index.html.haml

@@ -4,7 +4,7 @@
 .title
   %span#create_field_title= t(:admin_tab_fields)
 
-.info= t(:admin_fields_info).html_safe
+.info= t(:admin_fields_info)
 
 .info2= t(:admin_fields_info2)
 

data/app/views/admin/groups/_group.html.haml

@@ -6,10 +6,11 @@
     - confirm = (count.zero? ? nil : "#{t(:confirm_group_delete, count)}")
     %li= link_to_delete [:admin, group], :confirm => confirm
 
-  %span 
+  %span
     =link_to(group.name, {:action => :edit, :id => group.id}, {:remote  => true,
           :onclick => "this.href = this.href.split('?')[0] + '?previous='+crm.find_form('edit_group');"})
   %tt
     - if (users = group.users).present?
       == #{t('group_members')}:
-      = users.map{|user| link_to(h(user.full_name), user)}.join(', ').html_safe
+      - users.map do |user|
+        = link_to( h(user.full_name), user )

data/app/views/admin/users/_user.html.haml

@@ -20,17 +20,18 @@
       - elsif user != current_user
         = link_to_suspend(user) << " | "
       - else
-        = "<font color='silver'>#{t :suspend}!</font> | ".html_safe
+        %span.grayed #{t :suspend}!
+        = " | "
 
       - if user != current_user
         = link_to_confirm(user)
       - else
         %span.grayed #{t :delete}?
 
-    %span.black #{link_to(h(user.full_name), user)} (#{user.username})
+    %span.black #{link_to( user.full_name, user)} (#{user.username})
     %tt
-      = "- #{h(user.title)}" unless user.title.blank?
-      = " " + t(:at) + " " + h(user.company) unless user.company.blank?
+      = "- #{user.title}" unless user.title.blank?
+      = " " + t(:at) + " " + user.company unless user.company.blank?
 
       %span.black= "|"
       - if user.last_request_at && user.login_count > 0
@@ -45,8 +46,12 @@
         %span.warn #{t :user_never_logged_in}
     %dt{ :style => "padding: 2px 0px 0px 0px" }
       = link_to_email(user.email.to_s) << " | "
-      = "#{t :phone_small}: <b>".html_safe + user.phone << "</b> | ".html_safe if user.phone?
-      = "#{t :mobile_small}: <b>".html_safe + user.mobile << "</b> | ".html_safe if user.mobile?
+      - if user.phone?
+        = t(:phone_small) << ":"
+        = content_tag(:b, user.phone) << " | "
+      - if user.mobile?
+        = t(:mobile_small) << ":"
+        = content_tag(:b, user.mobile) << " | "
 
       - if !user.suspended?
         %span #{t(:user_since, l(user.created_at.to_date, :format => :mmddyy))}

data/app/views/campaigns/_edit.html.haml

@@ -10,7 +10,7 @@
     = render "campaigns/objectives",  :f => f, :edit => true
     = render "fields/groups",         :f => f, :edit => true
     = render "entities/permissions",  :f => f, :edit => true, :entity => @campaign
-    = hook(:entity_form, self, {f: f, entity: @campaign}) {}
+    = hook(:entity_form, self, {f: f, entity: @campaign})
 
     .buttonbar
       = f.submit t(:save_campaign)