filterrific 5.0.0 → 5.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b450ac700cb2087731e8d30c8c4e94bc7f90df26
-  data.tar.gz: fce6b4218644562383de7f9a9bfdf9d71fd75c5f
+  metadata.gz: 5226106f7944a5b6c08d8f568185d4e6fcf0c561
+  data.tar.gz: 2e4b24d697de15d10a5dddf6a7b444b5564950ed
 SHA512:
-  metadata.gz: 2137ab79b5a0bdd7d40d07046208ec8f5b3d73ad7f883f2ea3d5516c00c5c1fb5eb17c811b30bb6f4001549eb5168ec3b38b7038bbca925d87c969591c423b81
-  data.tar.gz: 4397b2c6d32ff3acc39fe4d3ea31f9d6799583b65c55a75bf7bf1e3f759eeb2b7ecd90d5ec853cfe9dc859085f0955b13fcbab3bebfc423a7bda8a8d278339e3
+  metadata.gz: 7829c794eb5e1a2e19a95cbb2e9651550f8c6cb5c123709a78c5fd5658c569a2c78963144f68b07cb30de9d28372ad3bfaf0087499a91f48f2e5c0597ed09d02
+  data.tar.gz: 4c7894ba6c9c1e9e5cde222bd69a088761dda82ccc01c0a1c12a1db4ed9e489b1f03b008bdc09dad8563355d95f138491cc17bd5c78174f1b9f6b46c3a4f0ec9

data/CHANGELOG.md

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Filterrific major versions match the Ruby on Rails major versions they work with.
 
+## [5.2.2] - Jul. 11, 2021
+
+* Fixed Ruby 2.7 deprecated warning when trying to regex match an Integer.
+* Added ability to pass custom url parameter instead of default :filterrific.
+* Added basic Aria attrs to spinner for accessibility.
+* Improved concurrent ajax requests: Abort prior request when new ones are triggered.
+
+## [5.2.1] - Aug. 5, 2019
+
+* Fixed issue where uncommitted code was pushed to rubygems and broke array filters.
+
+## [5.2.0] - Jul. 21, 2019
+
+* Make Filterrific master branch compatible with Rails 5 and 6.
+* Trigger synthetic JS events before and after form submission ajax requests.
+
+## [5.1.0] - Aug. 3, 2018
+
+* Breaking change: all Filterrific params are sanitized by default to prevent XSS attacks. You can disable sanitization (you really shouldn't!) by setting the :sanitize_params option to false when calling #initialize_filterrific in the controller.
+
+## [5.0.1] - Jan. 2, 2018
+
+* Changed all instances of #deep_stringify_keys back to #stringify_keys. This was changed in 5.0.0, but it shouldn't have been changed.
+
 ## [5.0.0] - Dec. 31, 2017
 
 * We're switching to a new versioning strategy for Filterrific: Filterrific major releases (the first number in the version) will be matched with the supported major version of Rails. Minor and path versions may diverge from Rails. That means for any version of Rails 5.x you will use the most current version of Filterrific 5.x.

data/README.md

@@ -39,13 +39,13 @@ to find out more!
 
 Every commit to Filterrific is automatically tested against the following scenarios:
 
-|Filterrific version | Rails version | Ruby environments              | Database adapters                  | Build status |
-|--------------------|---------------|--------------------------------|------------------------------------|--------------|
-| 5.x                | Rails 5.x     | MRI 2.0.0, 2.1.7, 2.2.3, 2.3.1 | mysql2, postgresql                 |[![Build Status](https://travis-ci.org/jhund/filterrific_demo.svg?branch=rails-5.x)](https://travis-ci.org/jhund/filterrific_demo)|
-| 4.x                | Rails 4.x     | MRI 2.0.0, 2.1.7, 2.2.3, 2.3.1 | mysql, mysql2, postgresql, sqlite3 |[![Build Status](https://travis-ci.org/jhund/filterrific_demo.svg?branch=rails-4.x)](https://travis-ci.org/jhund/filterrific_demo)|
-| 3.x                | Rails 3.2     | MRI 2.0.0, 2.1.7               | mysql, mysql2, postgresql, sqlite3 |[![Build Status](https://travis-ci.org/jhund/filterrific_demo.svg?branch=rails-3.x)](https://travis-ci.org/jhund/filterrific_demo)|
-| 2.x                | Rails 3.2     | MRI 1.9.3                      | mysql, mysql2, postgresql, sqlite3 | [N/A]
-| 1.x                | < 3.2         | MRI <= 1.9.3                   | mysql, mysql2, postgresql, sqlite3 | [N/A]
+|Filterrific version | Rails version  | Ruby environments              | Database adapters                  | Build status |
+|--------------------|----------------|--------------------------------|------------------------------------|--------------|
+| 5.x                | Rails 5.x, 6.x | MRI 2.0.0, 2.1.7, 2.2.3, 2.3.1 | mysql2, postgresql                 |[![Build Status](https://travis-ci.org/jhund/filterrific_demo.svg?branch=rails-5.x)](https://travis-ci.org/jhund/filterrific_demo)|
+| 4.x                | Rails 4.x      | MRI 2.0.0, 2.1.7, 2.2.3, 2.3.1 | mysql, mysql2, postgresql, sqlite3 |[![Build Status](https://travis-ci.org/jhund/filterrific_demo.svg?branch=rails-4.x)](https://travis-ci.org/jhund/filterrific_demo)|
+| 3.x                | Rails 3.2      | MRI 2.0.0, 2.1.7               | mysql, mysql2, postgresql, sqlite3 | Not tested|
+| 2.x                | Rails 3.2      | MRI 1.9.3                      | mysql, mysql2, postgresql, sqlite3 | Not tested|
+| 1.x                | < 3.2          | MRI <= 1.9.3                   | mysql, mysql2, postgresql, sqlite3 | Not tested|
 
 ### Guidelines for submitting issues
 
@@ -66,7 +66,8 @@ If you think you've found a bug, or have a feature request, then create an issue
 ### Resources
 
 * [Documentation](http://filterrific.clearcove.ca)
-* [Live demo](http://filterrific-demo.herokuapp.com)
+* [Live demo](https://filterrific-demo.herokuapp.com) using classic Rails views.
+* [Live JSON API demo](https://filterrific-json-api-demo.herokuapp.com/) using React and Mobx.
 * [Changelog](https://github.com/jhund/filterrific/blob/master/CHANGELOG.md)
 * [Source code (github)](https://github.com/jhund/filterrific)
 * [Issues](https://github.com/jhund/filterrific/issues)
@@ -85,4 +86,4 @@ If you think you've found a bug, or have a feature request, then create an issue
 
 ### Copyright
 
-Copyright (c) 2010 - 2017 Jo Hund. See [(MIT) LICENSE](https://github.com/jhund/filterrific/blob/master/MIT-LICENSE) for details.
+Copyright (c) 2010 - 2019 Jo Hund. See [(MIT) LICENSE](https://github.com/jhund/filterrific/blob/master/MIT-LICENSE) for details.

data/app/assets/javascripts/filterrific/filterrific-jquery.js

@@ -21,15 +21,25 @@ if (typeof Filterrific === 'undefined') {
 Filterrific.submitFilterForm = function(){
   var form = $(this).parents("form"),
       url = form.attr("action");
+  // send before event
+  $(form).trigger('loadingFilterrificResults');
   // turn on spinner
   $('.filterrific_spinner').show();
+
+  // Abort previous ajax request
+  if (Filterrific.lastRequest && Filterrific.lastRequest.readyState != 4) {
+    Filterrific.lastRequest.abort();
+  }
+
   // Submit ajax request
-  $.ajax({
+  Filterrific.lastRequest = $.ajax({
     url: url,
     data: form.serialize(),
     type: 'GET',
     dataType: 'script'
   }).done(function( msg ) {
+    // send after event
+    $(form).trigger('loadedFilterrificResults');
     $('.filterrific_spinner').hide();
   });
 };

data/doc/development_notes/javascript_handling.md

@@ -0,0 +1,12 @@
+# Filterrific JS handling
+
+Filterrific JS and assets can be used in a number of scenarios:
+
+## Rails Sprockets (asset pipeline)
+
+## Rails with webpacker
+
+* https://www.reddit.com/r/rails/comments/d4o691/can_webpacker_pull_in_assets_from_a_rails_engine/
+
+## No JS assets, just API mode
+

data/doc/development_notes/view_api.txt

@@ -1,3 +1,7 @@
+Flexport's style guide has interesting guidelines for filter widgets:
+
+https://www.flexport.com/design/guidelines/filtering
+
 All view related aspects of filterrific are handled via the view API:
 
 <%= filterrific_form_for @filterrific do |f| %>

data/doc/meta.md

@@ -15,9 +15,10 @@ For more info see: https://github.com/svenfuchs/gem-release#usage
    * `gem bump --version major` # 0.0.1 -> 1.0.0
    * `gem bump --version minor` # 0.0.1 -> 0.1.0
    * `gem bump --version patch` # 0.0.1 -> 0.0.2
-4. Release it.
+4. Make sure there are no uncommitted changes! They will be pushed to rubygems.
+5. Release it.
    * `gem release`
-5. Create a git tag and push to origin.
+6. Create a git tag and push to origin.
    `gem tag`
 
 
@@ -37,8 +38,8 @@ a branch for each minor version of Rails that is tested and supported.
 Sequence of a release:
 
 * finish updates in filterrific
-* run specs in each filterrific_demo branch (via `rake`)
-* when all specs pass, release filterrific (see above for steps)
+* update filterrific_demo Gemfile to refer to local filterrific via path: "../filterrific"
+* start the app and exercise it (currently there are no automated tests)
+* when everything works as expected, release filterrific (see above for steps)
 * after new filterrific is released, add new release version to each branch in
-  filterrific_demo and push each branch to trigger a Travis CI build for the
-  new filterrific release.
+  filterrific_demo.

data/doc/scratchpad.md

@@ -1,13 +1,38 @@
 # Filterrific scratchpad
 
+## 2021 Initiative
+
+* Update for Rails 6
+* Implement API only version (no frontend)
+* Update scope docs to use AREL
+* Implement/document various front end scenarios:
+    * React
+    * Stimulus
+    * jQuery
+    * sprockets/webpacker
+    * Thoughts: Support the rails defaults (webpacker or sprockets?) out of the box, batteries included. Document how to do everything else.
+* Work through issues and pull requests
+
+improve the filterrific frontend handling:
+
+* Remove invocation of init, document for devs to do it manually
+  https://github.com/jhund/filterrific/issues/199
+* Replace jquery with vanilla JS
+* Provide filterrific API version
+* Make compatible with Rails 6
+    * Remove jquery dependency, make it easier to use with webpacker, document how to do init
+      https://github.com/jhund/filterrific/issues/198
+
+* Support the following js scenarios:
+    * Sprockets
+    * Webpacker
+    * API only (e.g., for React)
+
+
 ## TODO
 
-* [x] Go to deep_stringify_keys (in ActionControllerExtension#initialize_filterrific)
-* [x] Lock Gemfile to correct version of Rails
-* [x] Add Rails major version check to filterrific.rb
-* [ ] In ParamSet#condition_filterrific_params: Why are we type casting integers?
-* [ ] add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
-* [x] I think this is done: fix reset url, make controller method, helper method
+* add check that no filter_name conflicts with existing methods on included ActiveRecord class (See https://github.com/jhund/filterrific/issues/17)
+* Update SW architecture and documentation according to Osterhuis Philosophy of software architecture/design book (mark advanced controller options as such to keep interface to learn simple)
 
 ## Travis
 
@@ -30,7 +55,6 @@ Ruby 1.8.7
 Ruby 1.9.3
 Ruby 2.0
 Ruby 2.1
-Ruby 2.2    No         No         No         No
 
 Each combination is also tested for postgres and mysql
 

data/lib/filterrific.rb

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 
-if Rails::VERSION::MAJOR != 5
-  raise "\n\nThis version of Filterrific only works with Rails 5.x.\nPlease see the Filterrific README for the correct version of Filterrific to use with your version of Rails!\n\n"
+if ![5,6].include?(Rails::VERSION::MAJOR)
+  raise "\n\nThis version of Filterrific only works with Rails 5 and 6.\nPlease see the Filterrific README for the correct version of Filterrific to use with your version of Rails!\n\n"
 end
 
 require 'filterrific/version'

data/lib/filterrific/action_controller_extension.rb

@@ -10,8 +10,9 @@ module Filterrific
   protected
 
     # @param model_class [Class]
-    # @param filterrific_params [Hash] typically the Rails request params under
-    #    the :filterrific key (params[:filterrific]), however can be any Hash.
+    # @param filterrific_params [ActionController::Params, Hash] typically the
+    #    Rails request params under the :filterrific key (params[:filterrific]),
+    #    however can be any Hash.
     # @param opts [Hash, optional]
     # @option opts [Array<String>, optional] :available_filters
     #   further restrict which of the filters specified in the model are
@@ -25,10 +26,13 @@ module Filterrific
     # @option opts [Hash, optional] :select_options
     #   these are available in the view to populate select lists and other
     #   dynamic values.
+    # @option opts [Boolean, optional] :sanitize_params
+    #   if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
+    #   Defaults to true.
     # @return [Filterrific::ParamSet]
     def initialize_filterrific(model_class, filterrific_params, opts = {})
-      f_params = (filterrific_params || {}).deep_stringify_keys
-      opts = opts.deep_stringify_keys
+      f_params = (filterrific_params || {}).stringify_keys
+      opts = opts.stringify_keys
       pers_id = if false == opts['persistence_id']
         nil
       else
@@ -57,19 +61,50 @@ module Filterrific
     # Computes filterrific params using a number of strategies. Limits params
     # to 'available_filters' if given via opts.
     # @param model_class [ActiveRecord::Base]
-    # @param filterrific_params [Hash]
+    # @param filterrific_params [ActionController::Params, Hash]
     # @param opts [Hash]
+    # @option opts [Boolean, optional] "sanitize_params"
+    #   if true, sanitizes all filterrific params to prevent reflected (or stored) XSS attacks.
+    #   Defaults to true.
     # @param persistence_id [String, nil]
     def compute_filterrific_params(model_class, filterrific_params, opts, persistence_id)
+      opts = { "sanitize_params" => true }.merge(opts.stringify_keys)
       r = (
         filterrific_params.presence || # start with passed in params
         (persistence_id && session[persistence_id].presence) || # then try session persisted params if persistence_id is present
         opts['default_filter_params'] || # then use passed in opts
         model_class.filterrific_default_filter_params # finally use model_class defaults
-      ).deep_stringify_keys
+      ).stringify_keys
       r.slice!(*opts['available_filters'].map(&:to_s))  if opts['available_filters']
+      # Sanitize params to prevent reflected XSS attack
+      if opts["sanitize_params"]
+        r.each { |k,v| r[k] = sanitize_filterrific_param(r[k]) }
+      end
       r
     end
 
+    # Sanitizes value to prevent xss attack.
+    # Uses Rails ActionView::Helpers::SanitizeHelper.
+    # @param val [Object] the value to sanitize. Can be any kind of object. Collections
+    #   will have their members sanitized recursively.
+    def sanitize_filterrific_param(val)
+      case val
+      when Array
+        # Return Array
+        val.map { |e| sanitize_filterrific_param(e) }
+      when Hash
+        # Return Hash
+        val.inject({}) { |m, (k,v)| m[k] = sanitize_filterrific_param(v); m }
+      when NilClass
+        # Nothing to do, use val as is
+        val
+      when String
+        helpers.sanitize(val)
+      else
+        # Nothing to do, use val as is
+        val
+      end
+    end
+
   end
 end

data/lib/filterrific/action_view_extension.rb

@@ -27,7 +27,7 @@ module Filterrific
     def render_filterrific_spinner
       %(
         <span class="filterrific_spinner" style="display:none;">
-          #{ image_tag('filterrific/filterrific-spinner.gif') }
+          #{ image_tag('filterrific/filterrific-spinner.gif', alt: '', role: 'presentation') }
         </span>
       ).html_safe
     end
@@ -74,6 +74,7 @@ module Filterrific
         :label => sort_key.to_s.humanize,
         :sorting_scope_name => :sorted_by,
         :url_for_attrs => {},
+        :as => :filterrific
       }.merge(opts)
       opts.merge!(
         :html_attrs => opts[:html_attrs].with_indifferent_access,
@@ -110,7 +111,7 @@ module Filterrific
       new_filterrific_params = filterrific.to_hash
                                           .with_indifferent_access
                                           .merge(opts[:sorting_scope_name] => new_sorting)
-      url_for_attrs = opts[:url_for_attrs].merge(:filterrific => new_filterrific_params)
+      url_for_attrs = opts[:url_for_attrs].merge(opts[:as] => new_filterrific_params)
       link_to(
         safe_join([opts[:label], opts[:current_sort_direction_indicator]], ' '),
         url_for(url_for_attrs),
@@ -133,7 +134,7 @@ module Filterrific
       new_filterrific_params = filterrific.to_hash
                                           .with_indifferent_access
                                           .merge(opts[:sorting_scope_name] => new_sorting)
-      url_for_attrs = opts[:url_for_attrs].merge(:filterrific => new_filterrific_params)
+      url_for_attrs = opts[:url_for_attrs].merge(opts[:as] => new_filterrific_params)
       link_to(
         opts[:label],
         url_for(url_for_attrs),

data/lib/filterrific/active_record_extension.rb

@@ -98,7 +98,7 @@ module Filterrific
     def assign_filterrific_default_filter_params(opts)
       self.filterrific_default_filter_params = (
         opts['default_filter_params'] || {}
-      ).deep_stringify_keys
+      ).stringify_keys
     end
 
     def validate_filterrific_default_filter_params

data/lib/filterrific/param_set.rb

@@ -101,7 +101,7 @@ module Filterrific
           # type cast Hash to OpenStruct so that nested params render correctly
           # in the form
           fp[key] = OpenStruct.new(fp[key])
-        when val =~ integer_detector_regex
+        when val.is_a?(String) && val =~ integer_detector_regex
           # type cast integer
           fp[key] = fp[key].to_i
         end

data/lib/filterrific/version.rb

@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
 
 module Filterrific
-  VERSION = "5.0.0"
+  VERSION = "5.2.2"
 end

data/spec/filterrific/action_controller_extension_spec.rb

@@ -1,5 +1,6 @@
 require 'spec_helper'
 require 'filterrific/action_controller_extension'
+require 'action_view/helpers/sanitize_helper'
 
 module Filterrific
 
@@ -9,6 +10,12 @@ module Filterrific
       include ActionControllerExtension
       def action_name; 'index'; end
       def controller_name; 'test_controller'; end
+      # In a production app the #helpers method makes Rails helpers available in
+      # a controller instance. For testing our module outside of rails, we just
+      # include the required helpers in the TestController class
+      # and then delegate #helpers to self.
+      include ActionView::Helpers::SanitizeHelper
+      def helpers; self; end
       def session
         {
           'test_controller#index' => {
@@ -100,6 +107,46 @@ module Filterrific
         ).must_equal({ 'filter1' => 1 })
       end
 
+      it "sanitizes filterrific params by default" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => "1' <script>alert('xss attack!');</script>" },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => "1' alert('xss attack!');" })
+      end
+
+      it "sanitizes filterrific Array params" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => ["1' <script>alert('xss attack!');</script>", 3] },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => ["1' alert('xss attack!');", 3] })
+      end
+
+      it "sanitizes filterrific Hash params" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => { 1 => "1' <script>alert('xss attack!');</script>", 2 =>  3} },
+          { },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => { 1 => "1' alert('xss attack!');", 2 => 3 } })
+      end
+
+      it "skips param sanitization if told so via options" do
+        TestController.new.send(
+          :compute_filterrific_params,
+          TestModelClass,
+          { 'filter1' => "1' <script>alert('xss attack!');</script>" },
+          { :sanitize_params => false },
+          'test_controller#index'
+        ).must_equal({ 'filter1' => "1' <script>alert('xss attack!');</script>" })
+      end
+
     end
 
     describe '#reset_filterrific_url' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: filterrific
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.2.2
 platform: ruby
 authors:
 - Jo Hund
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-30 00:00:00.000000000 Z
+date: 2021-07-12 00:00:00.000000000 Z
 dependencies: []
 description: Filterrific is a Rails Engine plugin that makes it easy to filter, search,
   and sort your ActiveRecord lists.
@@ -28,6 +28,7 @@ files:
 - doc/Overview diagram.graffle/image1.tiff
 - doc/development_notes/api_design.txt
 - doc/development_notes/controller_api.txt
+- doc/development_notes/javascript_handling.md
 - doc/development_notes/model_api.rb
 - doc/development_notes/view_api.txt
 - doc/meta.md
@@ -37,11 +38,9 @@ files:
 - lib/filterrific/action_view_extension.rb
 - lib/filterrific/active_record_extension.rb
 - lib/filterrific/engine.rb
-- lib/filterrific/engine_api.rb
 - lib/filterrific/has_reset_filterrific_url_mixin.rb
 - lib/filterrific/param_set.rb
 - lib/filterrific/version.rb
-- lib/filterrific_api.rb
 - spec/filterrific/action_controller_extension_spec.rb
 - spec/filterrific/action_view_extension_spec.rb
 - spec/filterrific/active_record_extension_spec.rb
@@ -68,7 +67,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.6.14.3
 signing_key: 
 specification_version: 4
 summary: A Rails engine plugin for filtering ActiveRecord lists.

data/lib/filterrific/engine_api.rb

@@ -1,26 +0,0 @@
-# -*- coding: utf-8 -*-
-
-require 'filterrific/param_set'
-
-require 'filterrific/action_controller_extension'
-require 'filterrific/active_record_extension'
-
-module Filterrific
-  class EngineApi < ::Rails::Engine
-
-TODO: Since this is API only, I don't think we need an engine!
-    # It's an engine so that we can add javascript and image assets
-    # to the asset pipeline.
-
-    isolate_namespace Filterrific
-
-    ActiveSupport.on_load :action_controller do
-      include Filterrific::ActionControllerExtension
-    end
-
-    ActiveSupport.on_load :active_record do
-      extend Filterrific::ActiveRecordExtension
-    end
-
-  end
-end

data/lib/filterrific_api.rb

@@ -1,7 +0,0 @@
-# -*- coding: utf-8 -*-
-
-require 'filterrific/version'
-require 'filterrific/engine_api'
-
-module Filterrific
-end