RubyGems - hyrax - Versions diffs - 2.2.1 → 2.2.2 - Mend

hyrax 2.2.1 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml +4 -4
data/README.md +2 -2
data/app/actors/hyrax/actors/attach_members_actor.rb +2 -2
data/app/helpers/hyrax/citations_behaviors/formatters/chicago_formatter.rb +10 -3
data/app/views/_flash_msg.html.erb +1 -1
data/app/views/hyrax/batch_edits/edit.html.erb +1 -1
data/app/views/hyrax/dashboard/collections/_flash_msg.html.erb +1 -1
data/app/views/hyrax/file_sets/_extra_fields_modal.html.erb +1 -1
data/app/views/hyrax/file_sets/_show_characterization_details.html.erb +1 -1
data/app/views/hyrax/notifications/_notifications.html.erb +2 -2
data/app/views/hyrax/permissions/confirm_access.html.erb +1 -1
data/app/views/hyrax/stats/file.html.erb +1 -1
data/app/views/hyrax/stats/work.html.erb +1 -1
data/app/views/hyrax/users/_activity_log.html.erb +1 -1
data/lib/hyrax/version.rb +1 -1
data/spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb +10 -0
data/template.rb +1 -1
metadata +4 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6f086851536da61deedbb9795675b44319ad7708
-  data.tar.gz: fdc35cc7f45c521f8b196b8642900270d4714ba9
+  metadata.gz: 97fb2ae450f3b4b0c85cfa72f4d05e02e02a628b
+  data.tar.gz: 7500fb0e85e5171e2da86f75cd84b0109827f849
 SHA512:
-  metadata.gz: 4d043eb1fd8223cf6f517c6eba02228c637bcd5179bd32fae7b2def80373c285e5b5c4c6ba6410585cc35b9e20f8f5ef5ac8da7db260c69aa2825a0a64c3d512
-  data.tar.gz: 305a94619c505e545a44d8c26ffc2e03168563c5caa0c6bb1ac7cd00b80afe822b1fad3b8a4e8b9e5e75cfe69516b738d6c1c440c13f45d47726ff2bbf371f7f
+  metadata.gz: c7da390ffaf5451e88d43261e4d61e9963677a80fa567d54d760c3158d218e2717fb9d65cf0de6915792416d8c5468448c08dfb1b0d64263fe8934f8212c5d12
+  data.tar.gz: 65d79abe5721fa5c09bf574d086935edf50784f6908faaf6a1ea2daf71684adae7d7dbac84cc2243d96c53111dc60bf8985ee33cfd6e440aa0fcbba07014e2c7

data/README.md CHANGED Viewed

@@ -62,7 +62,7 @@ The Samvera community is here to help. Please see our [support guide](./.github/
 # Getting started
 This document contains instructions specific to setting up an app with __Hyrax
-v2.2.1__. If you are looking for instructions on installing a different
+v2.2.2__. If you are looking for instructions on installing a different
 version, be sure to select the appropriate branch or tag from the drop-down
 menu above.
@@ -161,7 +161,7 @@ NOTE: The steps need to be done in order to create a new Hyrax based app.
 Generate a new Rails application using the template.
 ```
-rails _5.1.6_ new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v2.2.1/template.rb
+rails _5.1.6_ new my_app -m https://raw.githubusercontent.com/samvera/hyrax/v2.2.2/template.rb
 ```
 Generating a new Rails application using Hyrax's template above takes cares of a number of steps for you, including:

data/app/actors/hyrax/actors/attach_members_actor.rb CHANGED Viewed

@@ -4,8 +4,8 @@ module Hyrax
     # that follow the rails nested parameters conventions:
     # e.g.
     #   'work_members_attributes' => {
-    #     '0' => { 'id' = '12312412'},
-    #     '1' => { 'id' = '99981228', '_destroy' => 'true' }
+    #     '0' => { 'id' => '12312412'},
+    #     '1' => { 'id' => '99981228', '_destroy' => 'true' }
     #   }
     #
     # The goal of this actor is to mutate the ordered_members with as few writes

data/app/helpers/hyrax/citations_behaviors/formatters/chicago_formatter.rb CHANGED Viewed

@@ -13,11 +13,11 @@ module Hyrax
           text = "<span class=\"citation-author\">#{text}</span>" if text.present?
           # Get Pub Date
           pub_date = setup_pub_date(work)
-          text << " #{pub_date}." unless pub_date.nil?
+          text << " #{whitewash(pub_date)}." unless pub_date.nil?
           text << format_title(work.to_s)
           pub_info = setup_pub_info(work, false)
-          text << " #{pub_info}." if pub_info.present?
+          text << " #{whitewash(pub_info)}." if pub_info.present?
           text.html_safe
         end
@@ -36,7 +36,7 @@ module Hyrax
           # if for some reason the first author ended with a comma
           text.gsub!(',,', ',')
           text << "." unless text =~ /\.$/
-          text
+          whitewash(text)
         end
         # rubocop:enable Metrics/MethodLength
@@ -46,8 +46,15 @@ module Hyrax
           return "" if title_info.blank?
           title_text = chicago_citation_title(title_info)
           title_text << '.' unless title_text =~ /\.$/
+          title_text = whitewash(title_text)
           " <i class=\"citation-title\">#{title_text}</i>"
         end
+        private
+          def whitewash(text)
+            Loofah.fragment(text.to_s).scrub!(:whitewash).to_s
+          end
       end
     end
   end

data/app/views/_flash_msg.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
   <% if flash[type].present? %>
     <div class="alert <%= flash_dom_class %> alert-dismissable" role="alert">
       <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-      <%= safe_join(Array.wrap(flash[type]).map(&:html_safe), tag(:br)) %>
+      <%= sanitize Array.wrap(flash[type]).join(tag(:br)) %>
     </div>
     <% flash.delete(type) %>
   <% end %>

data/app/views/hyrax/batch_edits/edit.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
 <div class="scrollx scrolly fileHeight"> <!-- original values -->
   <h3> <b>Changes will be applied to: (<%= @form.names.size %> works) </b></h3>
-   <%= @form.names.join(", ").html_safe %>
+   <%= sanitize @form.names.join(", ") %>
 </div> <!-- /original values -->
 <div>

data/app/views/hyrax/dashboard/collections/_flash_msg.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
   <% if flash[type].present? %>
     <div class="alert <%= flash_dom_class %> alert-dismissable" role="alert">
       <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-      <%= safe_join(Array.wrap(flash[type]).map(&:html_safe), '<br/>'.html_safe) %>
+      <%= sanitize Array.wrap(flash[type]).join(tag(:br)) %>
     </div>
     <% flash.delete(type) %>
   <% end %>

data/app/views/hyrax/file_sets/_extra_fields_modal.html.erb CHANGED Viewed

@@ -11,7 +11,7 @@
         <h2 id="extraFieldsModal_<%= name %>_Label">Additional <%= label %>(s)</h2>
       </div>
       <div class="modal-body">
-        <%= values.join("<br />").html_safe %>
+        <%= sanitize values.join("<br />") %>
       </div>
       <div class="modal-footer">
         <button class="btn btn-primary" data-dismiss="modal">Close</button>

data/app/views/hyrax/file_sets/_show_characterization_details.html.erb CHANGED Viewed

@@ -1,7 +1,7 @@
 <% @presenter.characterization_metadata.keys.each do |term| %>
   <div>
     <% additional_values = @presenter.secondary_characterization_values(term) %>
-    <%= @presenter.label_for_term(term) %>: <%= @presenter.primary_characterization_values(term).join("<br />").html_safe %>
+    <%= @presenter.label_for_term(term) %>: <%= sanitize @presenter.primary_characterization_values(term).join("<br />") %>
     <% unless additional_values.empty? %>
       <%= render partial: "extra_fields_modal", locals: { name: term, values: additional_values } %>
     <% end %>

data/app/views/hyrax/notifications/_notifications.html.erb CHANGED Viewed

@@ -17,8 +17,8 @@
                 <%= msg.last_message.created_at.to_formatted_s(:long_ordinal) %>
               </relative-time>
             </td>
-            <td><%= msg.last_message.subject.html_safe %></td>
-            <td><%= msg.last_message.body.html_safe %></td>
+            <td><%= sanitize msg.last_message.subject %></td>
+            <td><%= sanitize msg.last_message.body %></td>
             <td>
               <%= link_to hyrax.notification_path(msg.id),
                       class: "itemicon itemtrash",

data/app/views/hyrax/permissions/confirm_access.html.erb CHANGED Viewed

@@ -3,7 +3,7 @@
     <h4>Apply changes to contents?<h4>
   </div>
   <div class="panel-body">
-      <%= I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern).html_safe %>
+      <%= sanitize I18n.t("hyrax.upload.change_access_message_html", curation_concern: curation_concern) %>
   </div>
   <div class="form-actions panel-footer">
     <%= button_to I18n.t("hyrax.upload.change_access_yes_message"), hyrax.copy_access_permission_path(curation_concern), class: 'btn btn-primary' %>

data/app/views/hyrax/stats/file.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
 <script>
 //<![CDATA[
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 //]]>
 </script>

data/app/views/hyrax/stats/work.html.erb CHANGED Viewed

@@ -2,7 +2,7 @@
 <script>
 //<![CDATA[
-  var hyrax_item_stats = <%= @stats.to_flot.to_json.html_safe %>;
+  var hyrax_item_stats = <%= raw json_escape @stats.to_flot.to_json %>;
 //]]>
 </script>

data/app/views/hyrax/users/_activity_log.html.erb CHANGED Viewed

@@ -9,7 +9,7 @@
   <% events.each do |event| %>
     <% next if event[:action].blank? or event[:timestamp].blank? %>
     <tr>
-      <td><%= event[:action].html_safe %></td>
+      <td><%= event[:action] %></td>
       <% time = Time.zone.at(event[:timestamp].to_i) %>
       <td data-sort="<%= time.getutc.iso8601(5) %>">
         <relative-time datetime="<%= time.getutc.iso8601 %>" title="<%= time.to_formatted_s(:standard) %>">

data/lib/hyrax/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Hyrax
-  VERSION = '2.2.1'.freeze
+  VERSION = '2.2.2'.freeze
 end

data/spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb ADDED Viewed

@@ -0,0 +1,10 @@
+RSpec.describe Hyrax::CitationsBehaviors::Formatters::ChicagoFormatter do
+  subject(:formatter) { described_class.new(:no_context) }
+  let(:presenter) { Hyrax::WorkShowPresenter.new(SolrDocument.new(work.to_solr), :no_ability) }
+  let(:work)      { build(:generic_work, title: ['<ScrIPt>prompt("Confirm Password")</sCRIpt>']) }
+  it 'sanitizes input' do
+    expect(formatter.format(presenter)).not_to include 'prompt'
+  end
+end

data/template.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-gem 'hyrax', '2.2.1'
+gem 'hyrax', '2.2.2'
 run 'bundle install'
 generate 'hyrax:install', '-f'
 rails_command 'db:migrate'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hyrax
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
 platform: ruby
 authors:
 - Justin Coyne
@@ -14,7 +14,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-30 00:00:00.000000000 Z
+date: 2018-09-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -2498,6 +2498,7 @@ files:
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/batch_edits_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/dashboard_helper_behavior_spec.rb
@@ -3229,6 +3230,7 @@ test_files:
 - spec/helpers/hyrax/ability_helper_spec.rb
 - spec/helpers/hyrax/batch_edits_helper_spec.rb
 - spec/helpers/hyrax/charts_helper_spec.rb
+- spec/helpers/hyrax/citations_behaviors/formatters/chicago_formatter_spec.rb
 - spec/helpers/hyrax/collections_helper_spec.rb
 - spec/helpers/hyrax/content_block_helper_spec.rb
 - spec/helpers/hyrax/dashboard_helper_behavior_spec.rb