formtastic 1.0.0.beta → 1.0.0.beta2

data/README.textile

@@ -517,7 +517,11 @@ If you want to add your own input types to encapsulate your own logic or interfa
 
 @Formtastic::SemanticFormHelper.builder = MyCustomBuilder@
 
+h2. Security
 
+By default formtastic escapes html entities in both labels and hints unless a string is marked as html_safe. If you are using an older rails version which doesn't know html_safe, or you want to globally turn this feature off, you can set the following in your initializer:
+
+Formtastic::SemanticFormBuilder.escape_html_entities_in_hints_and_labels = false
 
 
 h2. Status

data/lib/formtastic.rb

@@ -19,11 +19,12 @@ module Formtastic #:nodoc:
     @@file_methods = [ :file?, :public_filename, :filename ]
     @@priority_countries = ["Australia", "Canada", "United Kingdom", "United States"]
     @@i18n_lookups_by_default = false
+    @@escape_html_entities_in_hints_and_labels = true
     @@default_commit_button_accesskey = nil 
 
     cattr_accessor :default_text_field_size, :default_text_area_height, :all_fields_required_by_default, :include_blank_for_select_by_default,
                    :required_string, :optional_string, :inline_errors, :label_str_method, :collection_label_methods,
-                   :inline_order, :file_methods, :priority_countries, :i18n_lookups_by_default, :default_commit_button_accesskey 
+                   :inline_order, :file_methods, :priority_countries, :i18n_lookups_by_default, :escape_html_entities_in_hints_and_labels, :default_commit_button_accesskey 
 
     RESERVED_COLUMNS = [:created_at, :updated_at, :created_on, :updated_on, :lock_version, :version]
 
@@ -478,7 +479,7 @@ module Formtastic #:nodoc:
       # Collects association columns (relation columns) for the current form object class.
       #
       def association_columns(*by_associations) #:nodoc:
-        if @object.present?
+        if @object.present? && @object.class.respond_to?(:reflections)
           @object.class.reflections.collect do |name, _|
             if by_associations.present?
               name if by_associations.include?(_.macro)
@@ -878,7 +879,7 @@ module Formtastic #:nodoc:
           html_options[:checked] = selected_value == value if selected_option_is_present
 
           li_content = template.content_tag(:label,
-            Formtastic::Util.html_safe("#{self.radio_button(input_name, value, html_options)} #{label}"),
+            Formtastic::Util.html_safe("#{self.radio_button(input_name, value, html_options)} #{escape_html_entities(label)}"),
             :for => input_id
           )
 
@@ -888,9 +889,9 @@ module Formtastic #:nodoc:
         
         template.content_tag(:fieldset,
           template.content_tag(:legend, 
-            template.label_tag(nil, localized_string(method, method, :label) || humanized_attribute_name(method), :for => nil), :class => :label
+            template.label_tag(nil, localized_string(method, options[:label], :label) || humanized_attribute_name(method), :for => nil), :class => :label
           ) << 
-          template.content_tag(:ol, list_item_content)
+          template.content_tag(:ol, Formtastic::Util.html_safe(list_item_content.join))
         )
       end
       alias :boolean_radio_input :radio_input
@@ -1149,7 +1150,7 @@ module Formtastic #:nodoc:
           html_options[:id] = input_id
 
           li_content = template.content_tag(:label,
-            Formtastic::Util.html_safe("#{self.check_box(input_name, html_options, value, unchecked_value)} #{label}"),
+            Formtastic::Util.html_safe("#{self.check_box(input_name, html_options, value, unchecked_value)} #{escape_html_entities(label)}"),
             :for => input_id
           )
 
@@ -1159,9 +1160,9 @@ module Formtastic #:nodoc:
 
         template.content_tag(:fieldset,
           template.content_tag(:legend, 
-            template.label_tag(nil, localized_string(method, method, :label) || humanized_attribute_name(method), :for => nil), :class => :label
+            template.label_tag(nil, localized_string(method, options[:label], :label) || humanized_attribute_name(method), :for => nil), :class => :label
           ) << 
-          template.content_tag(:ol, list_item_content)
+          template.content_tag(:ol, Formtastic::Util.html_safe(list_item_content.join))
         )
       end
 
@@ -1223,7 +1224,7 @@ module Formtastic #:nodoc:
       #
       def inline_hints_for(method, options) #:nodoc:
         options[:hint] = localized_string(method, options[:hint], :hint)
-        return if options[:hint].blank?
+        return if options[:hint].blank? or options[:hint].kind_of? Hash
         template.content_tag(:p, Formtastic::Util.html_safe(options[:hint]), :class => 'inline-hints')
       end
 
@@ -1401,7 +1402,8 @@ module Formtastic #:nodoc:
 
         # Return if we have an Array of strings, fixnums or arrays
         return collection if (collection.instance_of?(Array) || collection.instance_of?(Range)) &&
-                             [Array, Fixnum, String, Symbol].include?(collection.first.class)
+                             [Array, Fixnum, String, Symbol].include?(collection.first.class) &&
+                             !(options.include?(:label_method) || options.include?(:value_method))
 
         label, value = detect_label_and_value_method!(collection, options)
         collection.map { |o| [send_or_call(label, o), send_or_call(value, o)] }
@@ -1622,7 +1624,7 @@ module Formtastic #:nodoc:
         key = value if value.is_a?(::Symbol)
 
         if value.is_a?(::String)
-          value
+          escape_html_entities(value)
         else
           use_i18n = value.nil? ? @@i18n_lookups_by_default : (value != false)
 
@@ -1644,6 +1646,7 @@ module Formtastic #:nodoc:
 
             i18n_value = ::Formtastic::I18n.t(defaults.shift,
               options.merge(:default => defaults, :scope => type.to_s.pluralize.to_sym))
+            i18n_value = escape_html_entities(i18n_value) if i18n_value.is_a?(::String)
             i18n_value.blank? ? nil : i18n_value
           end
         end
@@ -1676,6 +1679,14 @@ module Formtastic #:nodoc:
         options
       end
 
+      def escape_html_entities(string) #:nodoc:
+        if @@escape_html_entities_in_hints_and_labels
+          # Acceppt html_safe flag as indicator to skip escaping
+          string = template.escape_once(string) unless string.respond_to?(:html_safe?) && string.html_safe? == true
+        end
+        string
+      end
+
   end
 
   # Wrappers around form_for (etc) with :builder => SemanticFormBuilder.

data/lib/formtastic/util.rb

@@ -18,8 +18,11 @@ module Formtastic
     end
 
     def rails_safe_buffer_class
-      return ActionView::SafeBuffer if defined?(ActionView::SafeBuffer)
-      ActiveSupport::SafeBuffer
+      # It's important that we check ActiveSupport first,
+      # because in Rails 2.3.6 ActionView::SafeBuffer exists
+      # but is a deprecated proxy object.
+      return ActiveSupport::SafeBuffer if defined?(ActiveSupport::SafeBuffer)
+      return ActionView::SafeBuffer
     end
 
   end

data/spec/input_spec.rb

@@ -571,6 +571,23 @@ describe 'SemanticFormBuilder#input' do
           end
         end
         
+        describe 'when localized hint (I18n) is a model with attribute hints' do
+          it "should see the provided hash as a blank entry" do
+            ::I18n.backend.store_translations :en,
+            :formtastic => {
+                :hints => {
+                  :title => { # movie title
+                    :summary => @localized_hint_text # summary of movie
+                   }
+                 }
+              }
+            semantic_form_for(@new_post) do |builder|
+              concat(builder.input(:title, :hint => true))
+            end
+            output_buffer.should_not have_tag('form li p.inline-hints', @localized_hint_text)
+          end
+        end
+        
         describe 'when localized hint (I18n) is not provided' do
           it 'should not render a hint paragraph' do
             semantic_form_for(@new_post) do |builder|

data/spec/inputs/check_boxes_input_spec.rb

@@ -104,6 +104,16 @@ describe 'check_boxes input' do
           output_buffer.should have_tag("form li fieldset ol li label input[@name='project[author_id][]']")
         end
       end
+
+      it 'should html escape the label string' do
+        output_buffer.replace ''
+        semantic_form_for(:project, :url => 'http://test.host') do |builder|
+          concat(builder.input(:author_id, :as => :check_boxes, :collection => [["<b>Item 1</b>", 1], ["<b>Item 2</b>", 2]]))
+        end
+        output_buffer.should have_tag('form li fieldset ol li label') do |label|
+          label.body.should match /&lt;b&gt;Item [12]&lt;\/b&gt;$/
+        end
+      end
     end
 
     describe 'when :selected is set' do
@@ -236,6 +246,7 @@ describe 'check_boxes input' do
 
       before do
         ::I18n.backend.store_translations :en, :formtastic => { :labels => { :post => { :authors => "Translated!" }}}
+        Formtastic::SemanticFormBuilder.i18n_lookups_by_default = true
 
         @new_post.stub!(:author_ids).and_return(nil)
         semantic_form_for(@new_post) do |builder|
@@ -245,6 +256,7 @@ describe 'check_boxes input' do
 
       after do
         ::I18n.backend.reload!
+        Formtastic::SemanticFormBuilder.i18n_lookups_by_default = false
       end
 
       it "should do foo" do
@@ -252,8 +264,19 @@ describe 'check_boxes input' do
       end
 
     end
-    
-  end
 
+    describe "when :label option is set" do
+      before do
+        @new_post.stub!(:author_ids).and_return(nil)
+        semantic_form_for(@new_post) do |builder|
+          concat(builder.input(:authors, :as => :check_boxes, :label => 'The authors'))
+        end
+      end
+
+      it "should output the correct label title" do
+        output_buffer.should have_tag("legend.label label", /The authors/)
+      end
+    end
+  end
 end
 

data/spec/inputs/radio_input_spec.rb

@@ -111,6 +111,16 @@ describe 'radio input' do
         end
       end
 
+      it 'should html escape the label string' do
+        output_buffer.replace ''
+        semantic_form_for(:project, :url => 'http://test.host') do |builder|
+          concat(builder.input(:author_id, :as => :radio, :collection => [["<b>Item 1</b>", 1], ["<b>Item 2</b>", 2]]))
+        end
+        output_buffer.should have_tag('form li fieldset ol li label') do |label|
+          label.body.should match /&lt;b&gt;Item [12]&lt;\/b&gt;$/
+        end
+      end
+
       it 'should generate inputs for each item' do
         ::Author.find(:all).each do |author|
           output_buffer.should have_tag("form li fieldset ol li label input#project_author_id_#{author.id}")
@@ -167,6 +177,7 @@ describe 'radio input' do
     before do
       ::I18n.backend.store_translations :en, :formtastic => { :labels => { :post => { :authors => "Translated!" }}}
 
+      Formtastic::SemanticFormBuilder.i18n_lookups_by_default = true
       @new_post.stub!(:author_ids).and_return(nil)
       semantic_form_for(@new_post) do |builder|
         concat(builder.input(:authors, :as => :radio))
@@ -175,6 +186,7 @@ describe 'radio input' do
     
     after do
       ::I18n.backend.reload!
+      Formtastic::SemanticFormBuilder.i18n_lookups_by_default = false
     end
     
     it "should do foo" do
@@ -183,4 +195,16 @@ describe 'radio input' do
     
   end
 
+  describe "when :label option is set" do
+    before do
+      @new_post.stub!(:author_ids).and_return(nil)
+      @form = semantic_form_for(@new_post) do |builder|
+        concat(builder.input(:authors, :as => :radio, :label => 'The authors'))
+      end
+    end
+
+    it "should output the correct label title" do
+      output_buffer.should have_tag("legend.label label", /The authors/)
+    end
+  end
 end

data/spec/label_spec.rb

@@ -30,6 +30,24 @@ describe 'SemanticFormBuilder#label' do
     end
   end
 
+  describe 'when a collection is given' do
+    it 'should use a supplied label_method for simple collections' do
+      semantic_form_for(:project, :url => 'http://test.host') do |builder|
+        concat(builder.input(:author_id, :as => :check_boxes, :collection => [:a, :b, :c], :value_method => :to_s, :label_method => proc {|f| ('Label_%s' % [f])}))
+      end
+      output_buffer.should have_tag('form li fieldset ol li label', :with => /Label_[abc]/, :count => 3)
+    end
+
+    it 'should use a supplied value_method for simple collections' do
+      semantic_form_for(:project, :url => 'http://test.host') do |builder|
+        concat(builder.input(:author_id, :as => :check_boxes, :collection => [:a, :b, :c], :value_method => proc {|f| ('Value_%s' % [f.to_s])}))
+      end
+      output_buffer.should have_tag('form li fieldset ol li label input[value="Value_a"]')
+      output_buffer.should have_tag('form li fieldset ol li label input[value="Value_b"]')
+      output_buffer.should have_tag('form li fieldset ol li label input[value="Value_c"]')
+    end
+  end
+
   describe 'when label is given' do
     it 'should allow the text to be given as label option' do
       semantic_form_for(@new_post) do |builder|
@@ -42,6 +60,27 @@ describe 'SemanticFormBuilder#label' do
         builder.label(:login, :label => false).should be_blank
       end
     end
+
+    it 'should html escape the label string by default' do
+      semantic_form_for(@new_post) do |builder|
+        builder.label(:login, :required => false, :label => '<b>My label</b>').should == "<label for=\"post_login\">&lt;b&gt;My label&lt;/b&gt;</label>"
+      end
+    end
+
+    it 'should not html escape the label if configured that way' do
+      ::Formtastic::SemanticFormBuilder.escape_html_entities_in_hints_and_labels = false
+      semantic_form_for(@new_post) do |builder|
+        builder.label(:login, :required => false, :label => '<b>My label</b>').should == "<label for=\"post_login\"><b>My label</b></label>"
+      end
+    end
+
+    it 'should not html escape the label string for html_safe strings' do
+      ::Formtastic::SemanticFormBuilder.escape_html_entities_in_hints_and_labels = true
+      semantic_form_for(@new_post) do |builder|
+        builder.label(:login, :required => false, :label => '<b>My label</b>'.html_safe).should == "<label for=\"post_login\"><b>My label</b></label>"
+      end
+    end
+
   end
   
 end

data/spec/spec_helper.rb

@@ -1,6 +1,8 @@
 # coding: utf-8
 require 'rubygems'
 
+gem 'i18n', '< 0.4'
+
 gem 'activesupport', '2.3.8'
 gem 'actionpack', '2.3.8'
 require 'active_support'
@@ -8,6 +10,8 @@ require 'action_pack'
 require 'action_view'
 require 'action_controller'
 
+
+
 gem 'rspec', '>= 1.2.6'
 gem 'rspec-rails', '>= 1.2.6'
 gem 'hpricot', '>= 0.6.1'

metadata

@@ -6,8 +6,8 @@ version: !ruby/object:Gem::Version
   - 1
   - 0
   - 0
-  - beta
-  version: 1.0.0.beta
+  - beta2
+  version: 1.0.0.beta2
 platform: ruby
 authors: 
 - Justin French
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-06-07 00:00:00 +10:00
+date: 2010-07-21 00:00:00 +10:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency