hyrax 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f12bc4422975b30df6990632d50bbd5b39bfa033
-  data.tar.gz: 1cbc32cf3989e372d2cff38780af758606fbaec3
+  metadata.gz: 8d3112e5f08e4c0da060fde290645a29b69bab62
+  data.tar.gz: d2b16f75eacb1a606a80dce93a86f93de4f5ef0c
 SHA512:
-  metadata.gz: 74c91fe48c1b7c981ae6c81201d3cbd8732c4efacdfbfb4dcb0652f799a6317efaafcb5171f8dc26a54577cfa834623f9fb2aae01ee62d52fcc41335519a8826
-  data.tar.gz: 577a72b3cfe93ba8b47d02da6d418a2dad6066ac9c874c92070a9d4d4beabaaaac5962d1860ecd5b2d60184023a406f859715869bcd8bab0aa158c160642cd3b
+  metadata.gz: 4916d4b71847fa4e0fabd5a477f5efa6ba99484493b9ef3de440d379e967d7a09c2bbb054a24f6529561eef820713ef6059ba1571d74bc150b439df556fb6bef
+  data.tar.gz: 54f5e65e0105faf6cad75868409030eff13e52f72cffe3a4d1a0299a72eac339f9136bfe46116ec237878bf779cbea02633bc23368f312214d764e3068e47603

data/README.md

@@ -59,7 +59,7 @@ If you have questions or need help, please email [the Samvera community tech lis
 # Getting started
 
 This document contains instructions specific to setting up an app with __Hyrax
-v1.1.0__. If you are looking for instructions on installing a different
+v1.1.1__. If you are looking for instructions on installing a different
 version, be sure to select the appropriate branch or tag from the drop-down
 menu above.
 
@@ -133,7 +133,7 @@ Rails requires that you have a JavaScript runtime -- for example, nodejs -- inst
 Generate a new Rails application using the template.
 
 ```
-rails new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v1.1.0/template.rb
+rails new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v1.1.1/template.rb
 ```
 
 Generating a new Rails application using Hyrax's template above takes cares of a number of steps for you, including:

data/app/helpers/hyrax/citations_behaviors/formatters/chicago_formatter.rb

@@ -16,17 +16,18 @@ module Hyrax
           end
           # Get Pub Date
           pub_date = setup_pub_date(work)
-          text << " #{pub_date}." unless pub_date.nil?
+          text << " #{whitewash(pub_date)}." unless pub_date.nil?
 
           text << format_title(work.to_s)
           pub_info = setup_pub_info(work, false)
-          text << " #{pub_info}." if pub_info.present?
+          text << " #{whitewash(pub_info)}." if pub_info.present?
           text.html_safe
         end
 
         def format_authors(authors_list = [])
+          text = ''
+
           unless authors_list.blank?
-            text = ''
             text << surname_first(authors_list.first) if authors_list.first
             authors_list[1..6].each_with_index do |author, index|
               text << if index + 2 == authors_list.length # we've skipped the first author
@@ -37,10 +38,11 @@ module Hyrax
             end
             text << " et al." if authors_list.length > 7
           end
+
           # if for some reason the first author ended with a comma
           text.gsub!(',,', ',')
           text << "." unless text =~ /\.$/
-          text
+          whitewash(text)
         end
 
         def format_date(pub_date); end
@@ -49,8 +51,15 @@ module Hyrax
           return "" if title_info.blank?
           title_text = chicago_citation_title(title_info)
           title_text << '.' unless title_text =~ /\.$/
+          title_text = whitewash(title_text)
           " <i class=\"citation-title\">#{title_text}</i>"
         end
+
+        private
+
+          def whitewash(text)
+            Loofah.fragment(text.to_s).scrub!(:whitewash).to_s
+          end
       end
     end
   end

data/app/views/_flash_msg.html.erb

@@ -2,7 +2,7 @@
   <% if flash[type].present? %>
     <div class="alert <%= flash_dom_class %> alert-dismissable" role="alert">
       <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-      <%= safe_join(Array.wrap(flash[type]).map(&:html_safe), '<br/>'.html_safe) %>
+      <%= sanitize Array.wrap(flash[type]).join(tag(:br)) %>
     </div>
     <% flash.delete(type) %>
   <% end %>

data/app/views/hyrax/batch_edits/edit.html.erb

@@ -2,7 +2,7 @@
 
 <div class="scrollx scrolly fileHeight"> <!-- original values -->
   <h3> <b>Changes will be applied to: (<%= @form.names.size %> works) </b></h3>
-   <%= @form.names.join(", ").html_safe %>
+   <%= sanitize @form.names.join(", ") %>
 </div> <!-- /original values -->
 
 <div >

data/app/views/hyrax/file_sets/_extra_fields_modal.html.erb

@@ -11,7 +11,7 @@
         <h2 id="extraFieldsModal_<%=name %>_Label">Additional <%= label %>(s)</h2>
       </div>
       <div class="modal-body">
-        <%= values.join("<br />").html_safe %>
+        <%= sanitize values.join("<br />") %>
       </div>
       <div class="modal-footer">
         <button class="btn btn-primary" data-dismiss="modal">Close</button>

data/app/views/hyrax/file_sets/_show_characterization_details.html.erb

@@ -1,7 +1,7 @@
 <% @presenter.characterization_metadata.keys.each do |term| %>
   <div>
     <% additional_values = @presenter.secondary_characterization_values(term) %>
-    <%= @presenter.label_for_term(term) %>: <%= @presenter.primary_characterization_values(term).join("<br />").html_safe %>
+    <%= @presenter.label_for_term(term) %>: <%= sanitize @presenter.primary_characterization_values(term).join("<br />") %>
     <% unless additional_values.empty? %>
       <%= render partial: "extra_fields_modal", locals: { name: term, values: additional_values } %>
     <% end %>

data/app/views/hyrax/permissions/confirm_access.html.erb

@@ -3,7 +3,7 @@
     <h4>Apply changes to contents?<h4>
   </div>
   <div class="panel-body">
-      <%= I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern).html_safe %>
+      <%= sanitize I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern) %>
   </div>
   <div class="form-actions panel-footer">
     <%= button_to I18n.t("hyrax.upload.change_access_yes_message"), hyrax.copy_access_permission_path(curation_concern), class: 'btn btn-primary' %>

data/app/views/hyrax/stats/file.html.erb

@@ -1,6 +1,6 @@
 <!-- Adapted from jquery-flot examples https://github.com/flot/flot/blob/master/examples/visitors/index.html -->
 <%= javascript_tag do %>
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 <% end %>
 
 <%= content_tag :h1, @file_set, class: "lower" %>

data/app/views/hyrax/stats/work.html.erb

@@ -1,6 +1,6 @@
 <!-- Adapted from jquery-flot examples https://github.com/flot/flot/blob/master/examples/visitors/index.html -->
 <%= javascript_tag do %>
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 <% end %>
 
 <%= content_tag :h1, @stats, class: "lower" %>

data/app/views/hyrax/users/_activity_log.html.erb

@@ -9,7 +9,7 @@
   <% events.each do |event| %>
     <% next if event[:action].blank? or event[:timestamp].blank? %>
     <tr>
-      <td><%= event[:action].html_safe %></td>
+      <td><%= sanitize event[:action] %></td>
       <td><%= time_ago_in_words(Time.zone.at(event[:timestamp].to_i)) %> ago</td>
     </tr>
   <% end %>

data/hyrax.gemspec

@@ -55,6 +55,8 @@ EOF
   spec.add_dependency 'rdf-rdfxml' # controlled vocabulary importer
   spec.add_dependency 'railties', '~> 5.0'
   spec.add_dependency 'clipboard-rails', '~> 1.5'
+  # Devise 4.5 removes the 'trackable' module, which we depend on
+  spec.add_dependency 'devise', '<= 4.4.99'
   spec.add_dependency 'rails_autolink', '~> 1.1'
   spec.add_dependency 'active_fedora-noid', '~> 2.0', '>= 2.0.2'
   spec.add_dependency 'awesome_nested_set', '~> 3.1'
@@ -73,7 +75,7 @@ EOF
   spec.add_development_dependency 'engine_cart', '~> 1.0'
   spec.add_development_dependency 'mida', '~> 0.3'
   spec.add_development_dependency 'database_cleaner', '~> 1.3'
-  spec.add_development_dependency 'solr_wrapper', '~> 0.5'
+  spec.add_development_dependency 'solr_wrapper', '~> 0.5', '< 3.0'
   spec.add_development_dependency 'fcrepo_wrapper', '~> 0.5', '>= 0.5.1'
   spec.add_development_dependency 'rspec-rails', '~> 3.1'
   spec.add_development_dependency 'rspec-its', '~> 1.1'

data/lib/hyrax/version.rb

@@ -1,3 +1,3 @@
 module Hyrax
-  VERSION = '1.1.0'.freeze
+  VERSION = '1.1.1'.freeze
 end

data/spec/controllers/hyrax/admin/strategies_controller_spec.rb

@@ -3,14 +3,25 @@ require 'spec_helper'
 RSpec.describe Hyrax::Admin::StrategiesController do
   describe "#update" do
     before do
+      # Added when Flipflop bumped to 2.3.2. See also https://github.com/voormedia/flipflop/issues/26
+      Flipflop::FeatureSet.current.instance_variable_set(:@features, original_feature_hash.merge(feature_id => feature))
+
       sign_in user
     end
+
+    after do
+      Flipflop::FeatureSet.current.instance_variable_set(:@features, original_feature_hash)
+    end
+
+    let(:original_feature_hash) { Flipflop::FeatureSet.current.instance_variable_get(:@features) }
     let(:user) { create(:user) }
     let(:strategy) { Flipflop::Strategies::ActiveRecordStrategy.new(class: Hyrax::Feature).key }
+    let(:feature) { double('feature', id: feature_id, key: 'foo') }
+    let(:feature_id) { :my_feature }
 
     context "when not authorized" do
       it "redirects away" do
-        patch :update, params: { feature_id: '123', id: strategy }
+        patch :update, params: { feature_id: feature.id, id: strategy }
         expect(response).to redirect_to root_path
       end
     end
@@ -22,7 +33,7 @@ RSpec.describe Hyrax::Admin::StrategiesController do
       end
 
       it "is successful" do
-        patch :update, params: { feature_id: '123', id: strategy }
+        patch :update, params: { feature_id: feature.id, id: strategy }
         expect(response).to redirect_to Hyrax::Engine.routes.url_helpers.admin_features_path(locale: 'en')
       end
     end

data/spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb

@@ -0,0 +1,10 @@
+RSpec.describe Hyrax::CitationsBehaviors::Formatters::ChicagoFormatter do
+  subject(:formatter) { described_class.new(:no_context) }
+
+  let(:presenter) { Hyrax::WorkShowPresenter.new(SolrDocument.new(work.to_solr), :no_ability) }
+  let(:work)      { build(:generic_work, title: ['<ScrIPt>prompt("Confirm Password")</sCRIpt>']) }
+
+  it 'sanitizes input' do
+    expect(formatter.format(presenter)).not_to include 'prompt'
+  end
+end

data/template.rb

@@ -1,4 +1,4 @@
-gem 'hyrax', '1.1.0'
+gem 'hyrax', '1.1.1'
 
 run 'bundle install'
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hyrax
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Justin Coyne
@@ -14,7 +14,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-17 00:00:00.000000000 Z
+date: 2018-09-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hydra-head
@@ -466,6 +466,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: 4.4.99
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: 4.4.99
 - !ruby/object:Gem::Dependency
   name: rails_autolink
   requirement: !ruby/object:Gem::Requirement
@@ -735,6 +749,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -742,6 +759,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.5'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: fcrepo_wrapper
   requirement: !ruby/object:Gem::Requirement
@@ -2247,6 +2267,7 @@ files:
 - spec/helpers/dashboard_helper_spec.rb
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/file_set_helper_spec.rb
@@ -2837,6 +2858,7 @@ test_files:
 - spec/helpers/dashboard_helper_spec.rb
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/file_set_helper_spec.rb