RubyGems - hyrax - Versions diffs - 1.1.0 → 1.1.1 - Mend

hyrax 1.1.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/README.md +2 -2
data/app/helpers/hyrax/citations_behaviors/formatters/chicago_formatter.rb +13 -4
data/app/views/_flash_msg.html.erb +1 -1
data/app/views/hyrax/batch_edits/edit.html.erb +1 -1
data/app/views/hyrax/file_sets/_extra_fields_modal.html.erb +1 -1
data/app/views/hyrax/file_sets/_show_characterization_details.html.erb +1 -1
data/app/views/hyrax/permissions/confirm_access.html.erb +1 -1
data/app/views/hyrax/stats/file.html.erb +1 -1
data/app/views/hyrax/stats/work.html.erb +1 -1
data/app/views/hyrax/users/_activity_log.html.erb +1 -1
data/hyrax.gemspec +3 -1
data/lib/hyrax/version.rb +1 -1
data/spec/controllers/hyrax/admin/strategies_controller_spec.rb +13 -2
data/spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb +10 -0
data/template.rb +1 -1
metadata +24 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f12bc4422975b30df6990632d50bbd5b39bfa033
-  data.tar.gz: 1cbc32cf3989e372d2cff38780af758606fbaec3
+  metadata.gz: 8d3112e5f08e4c0da060fde290645a29b69bab62
+  data.tar.gz: d2b16f75eacb1a606a80dce93a86f93de4f5ef0c
 SHA512:
-  metadata.gz: 74c91fe48c1b7c981ae6c81201d3cbd8732c4efacdfbfb4dcb0652f799a6317efaafcb5171f8dc26a54577cfa834623f9fb2aae01ee62d52fcc41335519a8826
-  data.tar.gz: 577a72b3cfe93ba8b47d02da6d418a2dad6066ac9c874c92070a9d4d4beabaaaac5962d1860ecd5b2d60184023a406f859715869bcd8bab0aa158c160642cd3b
+  metadata.gz: 4916d4b71847fa4e0fabd5a477f5efa6ba99484493b9ef3de440d379e967d7a09c2bbb054a24f6529561eef820713ef6059ba1571d74bc150b439df556fb6bef
+  data.tar.gz: 54f5e65e0105faf6cad75868409030eff13e52f72cffe3a4d1a0299a72eac339f9136bfe46116ec237878bf779cbea02633bc23368f312214d764e3068e47603

data/README.md CHANGED Viewed

@@ -59,7 +59,7 @@ If you have questions or need help, please email [the Samvera community tech lis
 # Getting started
 This document contains instructions specific to setting up an app with __Hyrax
-v1.1.0__. If you are looking for instructions on installing a different
+v1.1.1__. If you are looking for instructions on installing a different
 version, be sure to select the appropriate branch or tag from the drop-down
 menu above.
@@ -133,7 +133,7 @@ Rails requires that you have a JavaScript runtime -- for example, nodejs -- inst
 Generate a new Rails application using the template.
 ```
-rails new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v1.1.0/template.rb
+rails new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v1.1.1/template.rb
 ```
 Generating a new Rails application using Hyrax's template above takes cares of a number of steps for you, including:

data/app/helpers/hyrax/citations_behaviors/formatters/chicago_formatter.rb CHANGED Viewed

@@ -16,17 +16,18 @@ module Hyrax
           end
           # Get Pub Date
           pub_date = setup_pub_date(work)
-          text << " #{pub_date}." unless pub_date.nil?
+          text << " #{whitewash(pub_date)}." unless pub_date.nil?
           text << format_title(work.to_s)
           pub_info = setup_pub_info(work, false)
-          text << " #{pub_info}." if pub_info.present?
+          text << " #{whitewash(pub_info)}." if pub_info.present?
           text.html_safe
         end
         def format_authors(authors_list = [])
+          text = ''
           unless authors_list.blank?
-            text = ''
             text << surname_first(authors_list.first) if authors_list.first
             authors_list[1..6].each_with_index do |author, index|
               text << if index + 2 == authors_list.length # we've skipped the first author
@@ -37,10 +38,11 @@ module Hyrax
             end
             text << " et al." if authors_list.length > 7
           end
           # if for some reason the first author ended with a comma
           text.gsub!(',,', ',')
           text << "." unless text =~ /\.$/
-          text
+          whitewash(text)
         end
         def format_date(pub_date); end
@@ -49,8 +51,15 @@ module Hyrax
           return "" if title_info.blank?
           title_text = chicago_citation_title(title_info)
           title_text << '.' unless title_text =~ /\.$/
+          title_text = whitewash(title_text)
           " <i class=\"citation-title\">#{title_text}</i>"
         end
+        private
+          def whitewash(text)
+            Loofah.fragment(text.to_s).scrub!(:whitewash).to_s
+          end
       end
     end
   end

data/app/views/_flash_msg.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
   <% if flash[type].present? %>
     <div class="alert <%= flash_dom_class %> alert-dismissable" role="alert">
       <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-      <%= safe_join(Array.wrap(flash[type]).map(&:html_safe), '<br/>'.html_safe) %>
+      <%= sanitize Array.wrap(flash[type]).join(tag(:br)) %>
     </div>
     <% flash.delete(type) %>
   <% end %>

data/app/views/hyrax/batch_edits/edit.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
 <div class="scrollx scrolly fileHeight"> <!-- original values -->
   <h3> <b>Changes will be applied to: (<%= @form.names.size %> works) </b></h3>
-   <%= @form.names.join(", ").html_safe %>
+   <%= sanitize @form.names.join(", ") %>
 </div> <!-- /original values -->
 <div >

data/app/views/hyrax/file_sets/_extra_fields_modal.html.erb CHANGED Viewed

@@ -11,7 +11,7 @@
         <h2 id="extraFieldsModal_<%=name %>_Label">Additional <%= label %>(s)</h2>
       </div>
       <div class="modal-body">
-        <%= values.join("<br />").html_safe %>
+        <%= sanitize values.join("<br />") %>
       </div>
       <div class="modal-footer">
         <button class="btn btn-primary" data-dismiss="modal">Close</button>

data/app/views/hyrax/file_sets/_show_characterization_details.html.erb CHANGED Viewed

@@ -1,7 +1,7 @@
 <% @presenter.characterization_metadata.keys.each do |term| %>
   <div>
     <% additional_values = @presenter.secondary_characterization_values(term) %>
-    <%= @presenter.label_for_term(term) %>: <%= @presenter.primary_characterization_values(term).join("<br />").html_safe %>
+    <%= @presenter.label_for_term(term) %>: <%= sanitize @presenter.primary_characterization_values(term).join("<br />") %>
     <% unless additional_values.empty? %>
       <%= render partial: "extra_fields_modal", locals: { name: term, values: additional_values } %>
     <% end %>

data/app/views/hyrax/permissions/confirm_access.html.erb CHANGED Viewed

@@ -3,7 +3,7 @@
     <h4>Apply changes to contents?<h4>
   </div>
   <div class="panel-body">
-      <%= I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern).html_safe %>
+      <%= sanitize I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern) %>
   </div>
   <div class="form-actions panel-footer">
     <%= button_to I18n.t("hyrax.upload.change_access_yes_message"), hyrax.copy_access_permission_path(curation_concern), class: 'btn btn-primary' %>

data/app/views/hyrax/stats/file.html.erb CHANGED Viewed

@@ -1,6 +1,6 @@
 <!-- Adapted from jquery-flot examples https://github.com/flot/flot/blob/master/examples/visitors/index.html -->
 <%= javascript_tag do %>
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 <% end %>
 <%= content_tag :h1, @file_set, class: "lower" %>

data/app/views/hyrax/stats/work.html.erb CHANGED Viewed

@@ -1,6 +1,6 @@
 <!-- Adapted from jquery-flot examples https://github.com/flot/flot/blob/master/examples/visitors/index.html -->
 <%= javascript_tag do %>
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 <% end %>
 <%= content_tag :h1, @stats, class: "lower" %>

data/app/views/hyrax/users/_activity_log.html.erb CHANGED Viewed

@@ -9,7 +9,7 @@
   <% events.each do |event| %>
     <% next if event[:action].blank? or event[:timestamp].blank? %>
     <tr>
-      <td><%= event[:action].html_safe %></td>
+      <td><%= sanitize event[:action] %></td>
       <td><%= time_ago_in_words(Time.zone.at(event[:timestamp].to_i)) %> ago</td>
     </tr>
   <% end %>

data/hyrax.gemspec CHANGED Viewed

@@ -55,6 +55,8 @@ EOF
   spec.add_dependency 'rdf-rdfxml' # controlled vocabulary importer
   spec.add_dependency 'railties', '~> 5.0'
   spec.add_dependency 'clipboard-rails', '~> 1.5'
+  # Devise 4.5 removes the 'trackable' module, which we depend on
+  spec.add_dependency 'devise', '<= 4.4.99'
   spec.add_dependency 'rails_autolink', '~> 1.1'
   spec.add_dependency 'active_fedora-noid', '~> 2.0', '>= 2.0.2'
   spec.add_dependency 'awesome_nested_set', '~> 3.1'
@@ -73,7 +75,7 @@ EOF
   spec.add_development_dependency 'engine_cart', '~> 1.0'
   spec.add_development_dependency 'mida', '~> 0.3'
   spec.add_development_dependency 'database_cleaner', '~> 1.3'
-  spec.add_development_dependency 'solr_wrapper', '~> 0.5'
+  spec.add_development_dependency 'solr_wrapper', '~> 0.5', '< 3.0'
   spec.add_development_dependency 'fcrepo_wrapper', '~> 0.5', '>= 0.5.1'
   spec.add_development_dependency 'rspec-rails', '~> 3.1'
   spec.add_development_dependency 'rspec-its', '~> 1.1'

data/lib/hyrax/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Hyrax
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.1.1'.freeze
 end

data/spec/controllers/hyrax/admin/strategies_controller_spec.rb CHANGED Viewed

@@ -3,14 +3,25 @@ require 'spec_helper'
 RSpec.describe Hyrax::Admin::StrategiesController do
   describe "#update" do
     before do
+      # Added when Flipflop bumped to 2.3.2. See also https://github.com/voormedia/flipflop/issues/26
+      Flipflop::FeatureSet.current.instance_variable_set(:@features, original_feature_hash.merge(feature_id => feature))
       sign_in user
     end
+    after do
+      Flipflop::FeatureSet.current.instance_variable_set(:@features, original_feature_hash)
+    end
+    let(:original_feature_hash) { Flipflop::FeatureSet.current.instance_variable_get(:@features) }
     let(:user) { create(:user) }
     let(:strategy) { Flipflop::Strategies::ActiveRecordStrategy.new(class: Hyrax::Feature).key }
+    let(:feature) { double('feature', id: feature_id, key: 'foo') }
+    let(:feature_id) { :my_feature }
     context "when not authorized" do
       it "redirects away" do
-        patch :update, params: { feature_id: '123', id: strategy }
+        patch :update, params: { feature_id: feature.id, id: strategy }
         expect(response).to redirect_to root_path
       end
     end
@@ -22,7 +33,7 @@ RSpec.describe Hyrax::Admin::StrategiesController do
       end
       it "is successful" do
-        patch :update, params: { feature_id: '123', id: strategy }
+        patch :update, params: { feature_id: feature.id, id: strategy }
         expect(response).to redirect_to Hyrax::Engine.routes.url_helpers.admin_features_path(locale: 'en')
       end
     end

data/spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb ADDED Viewed

@@ -0,0 +1,10 @@
+RSpec.describe Hyrax::CitationsBehaviors::Formatters::ChicagoFormatter do
+  subject(:formatter) { described_class.new(:no_context) }
+  let(:presenter) { Hyrax::WorkShowPresenter.new(SolrDocument.new(work.to_solr), :no_ability) }
+  let(:work)      { build(:generic_work, title: ['<ScrIPt>prompt("Confirm Password")</sCRIpt>']) }
+  it 'sanitizes input' do
+    expect(formatter.format(presenter)).not_to include 'prompt'
+  end
+end

data/template.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-gem 'hyrax', '1.1.0'
+gem 'hyrax', '1.1.1'
 run 'bundle install'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hyrax
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Justin Coyne
@@ -14,7 +14,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-17 00:00:00.000000000 Z
+date: 2018-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hydra-head
@@ -466,6 +466,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: 4.4.99
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: 4.4.99
 - !ruby/object:Gem::Dependency
   name: rails_autolink
   requirement: !ruby/object:Gem::Requirement
@@ -735,6 +749,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -742,6 +759,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: fcrepo_wrapper
   requirement: !ruby/object:Gem::Requirement
@@ -2247,6 +2267,7 @@ files:
 - spec/helpers/dashboard_helper_spec.rb
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/file_set_helper_spec.rb
@@ -2837,6 +2858,7 @@ test_files:
 - spec/helpers/dashboard_helper_spec.rb
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/file_set_helper_spec.rb