publify_core 10.0.1 → 10.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f07659f73a5dbeb0204128c9d42e6fcec4092ed7d4e920dceac39f1d104531f3
-  data.tar.gz: cef962bcdc17d957b1824f6e529534c48fdadb473280c910a33198cbcb49d2e7
+  metadata.gz: b3e5084922bf07bd1308c17a903b8d97773f92b4068a02aedbddb77ee3e4d86c
+  data.tar.gz: d8689c538a7fad96f040adc776cc55b9f489a5bcfaef8dfa6ca7b4a31aa3a385
 SHA512:
-  metadata.gz: 5f1262b50e741c94cf9bfcf2cc9d30dade5ae00fccbb5a33206789e7a900af47d280246b204b4f6671f2baaf18547fa1c98aad558d890500347ce58cf97d14f6
-  data.tar.gz: 58e3228983425a5a802714855453184d726f351b81475c0f36f63acf19486c61c0be3f54b26a5cb205f0db48924158840a978fb83888c33cbbcaeaddc9d65b98
+  metadata.gz: aeeeb16cf53b8f6fd74cfd04ac9c960a25f05fd603e4d127cbee813d37a8ddd2675ed6f082aa2ea59155aa3ab407297c6a733d8ce0f124d4a9affd98163a52e7
+  data.tar.gz: 80b5de3c4bd37f72ccbce5d27d10fbff4519d3bca84a30eee988e389b48b83b6969320c90db38590aeae40a46be5708e838ea066855ea6aef4a254f50cb2632f

data/CHANGELOG.md

@@ -1,5 +1,51 @@
 # Changelog
 
+## 10.0.3 / 2025-03-28
+
+* Limit accepted parameters for Sidebar update in Admin ([#159] by [mvz])
+* Use known set of allowed attributes when autosaving an Article ([#160] by [mvz])
+* Permit only valid settings keys when updating blog settings ([#161] by [mvz])
+* Limit assigned attributes when creating and updating Notes ([#162] by [mvz])
+* Limit allowed SEO settings params ([#163] by [mvz])
+
+[#159]: https://github.com/publify/publify_core/pull/159
+[#160]: https://github.com/publify/publify_core/pull/160
+[#161]: https://github.com/publify/publify_core/pull/161
+[#162]: https://github.com/publify/publify_core/pull/162
+[#163]: https://github.com/publify/publify_core/pull/163
+
+## 10.0.2 / 2024-06-28
+
+### Security updates
+
+* Safely link target URLs for Redirects in admin ([#148] by [mvz])
+* Upgrade jquery-ui-rails to version 7.0 ([#149] by [mvz])
+
+### Functional changes
+
+* Use native datetime inputs in the Admin ([#121] by [mvz])
+* Display Theme description nicely in the admin ([#151] by [mvz])
+
+### Internal changes
+
+* Stop using and depending on REXML ([#123] by [mvz])
+* Remove inline javascript ([#124] by [mvz])
+* Switch to no-trailing-comma style ([#127] by [mvz])
+* Remove inline styles assigned in ERB templates ([#128] by [mvz])
+* Make Content.searchstring scope code more transparent ([#150] by [mvz])
+* Add erb-lint and fix initial warnings ([#125] by [mvz])
+
+[#121]: https://github.com/publify/publify_core/pull/121
+[#123]: https://github.com/publify/publify_core/pull/123
+[#124]: https://github.com/publify/publify_core/pull/124
+[#125]: https://github.com/publify/publify_core/pull/125
+[#127]: https://github.com/publify/publify_core/pull/127
+[#128]: https://github.com/publify/publify_core/pull/128
+[#148]: https://github.com/publify/publify_core/pull/148
+[#149]: https://github.com/publify/publify_core/pull/149
+[#150]: https://github.com/publify/publify_core/pull/150
+[#151]: https://github.com/publify/publify_core/pull/151
+
 ## 10.0.1 / 2023-10-28
 
 * Update CarrierWave dependency to version 3.0 ([#102] by [mvz])
@@ -18,7 +64,6 @@
 [#118]: https://github.com/publify/publify_core/pull/118
 [#119]: https://github.com/publify/publify_core/pull/119
 [mvz]: https://github.com/mvz
-[dependabot]: https://github.com/apps/dependabot
 
 ## 10.0.0 / 2023-06-25
 

data/app/assets/javascripts/markup_help_popup.js

@@ -0,0 +1,25 @@
+$(document).ready(function() {
+  $('.markup-help-popup-link').on("click", function(e){
+    var dialog = document.getElementById(e.target.dataset["target"]);
+    var url = e.target.dataset.url;
+
+    $.ajax({
+      url: url,
+      type: 'get',
+      dataType: 'html',
+      success: function(data) {
+        dialog.getElementsByClassName("content-target").item(0).innerHTML = data;
+        dialog.showModal();
+      }
+    });
+    e.preventDefault();
+  });
+  $('.markup-help-popup-close').on("click", function(e) {
+    e.target.closest('dialog').close();
+  });
+  $('.markup-help-popup').on("click", function(e) {
+    if (e.target == e.currentTarget) {
+      e.target.close();
+    }
+  });
+});

data/app/assets/javascripts/optional_field_toggle.js

@@ -0,0 +1,7 @@
+$(document).ready(function() {
+  $('.optional_field').hide();
+  $('.optional-field-toggle').on("click", function(e){
+    $('.optional_field').fadeToggle();
+    e.preventDefault();
+  });
+});

data/app/assets/javascripts/preview_comment.js

@@ -0,0 +1,10 @@
+$(document).ready(function() {
+  $('.preview-comment-link').on("click", function(e) {
+    var lnk = e.currentTarget;
+    var preview_url = lnk.dataset.previewUrl;
+    var comment_form_selector = lnk.dataset.targetForm;
+
+    $.post(preview_url, $(comment_form_selector).serialize());
+    e.preventDefault();
+  });
+});

data/app/assets/javascripts/publify.js

@@ -6,7 +6,10 @@
 //= require set-timeago-lang
 //= require jquery_ujs
 //= require lightbox
+//= require markup_help_popup
 //= require observe
+//= require optional_field_toggle
+//= require preview_comment
 //= require check_password
 //
 //= require_self

data/app/assets/javascripts/publify_admin.js

@@ -3,23 +3,6 @@
 //= require jquery
 //= require jquery_ujs
 //= require jquery-ui
-//= require jquery-ui/i18n/datepicker-da
-//= require jquery-ui/i18n/datepicker-de
-//= require jquery-ui/i18n/datepicker-es
-//= require jquery-ui/i18n/datepicker-fr
-//= require jquery-ui/i18n/datepicker-he
-//= require jquery-ui/i18n/datepicker-it
-//= require jquery-ui/i18n/datepicker-ja
-//= require jquery-ui/i18n/datepicker-lt
-//= require jquery-ui/i18n/datepicker-nb
-//= require jquery-ui/i18n/datepicker-nl
-//= require jquery-ui/i18n/datepicker-pl
-//= require jquery-ui/i18n/datepicker-pt-BR
-//= require jquery-ui/i18n/datepicker-ro
-//= require jquery-ui/i18n/datepicker-ru
-//= require jquery-ui/i18n/datepicker-zh-CN
-//= require jquery-ui/i18n/datepicker-zh-TW
-//= require datetimepicker
 //= require bootstrap-sprockets
 //= require quicktags
 //= require tagmanager
@@ -84,14 +67,7 @@ $(document).ready(function() {
   $('#article_form').each(function(e){autosave_request(e)});
   $('#article_form').submit(function(e){save_article_tags()});
   $('#article_form').each(function(e){tag_manager()});
-
-  // DatePickers
-  $('.datepicker').each(function() {
-    $(this).datepicker($.datepicker.regional[this.dataset.locale]);
-  });
-
-  // Date time picker (not related to date picker at all!)
-  $( "#article_published_at" ).datetimepicker();
+  $('#checkall').click(function(e){check_all(e.target)});
 
   // DropDown
   $(".dropdown-toggle").dropdown();

data/app/assets/javascripts/spinnable.js

@@ -1,5 +1,10 @@
 // Show and hide spinners on Ajax requests.
 $(document).ready(function(){
-  $('form.spinnable').on('ajax:before', function(evt, xhr, status){ $('#spinner').show();})
-  $('form.spinnable').on('ajax:complete', function(evt, xhr, status){ $('#spinner').hide();})
+  $('#spinner').hide().removeClass("hidden");
+  $('form.spinnable').on('ajax:before', function(evt, xhr, status){
+    $('#spinner').show();
+  });
+  $('form.spinnable').on('ajax:complete', function(evt, xhr, status){
+    $('#spinner').hide();
+  });
 });

data/app/assets/stylesheets/administration_structure.css.scss

@@ -1,7 +1,7 @@
 /* General */
 
 body {
-  padding-top: 40px;
+  padding-top: 60px;
 }
 
 footer {

data/app/assets/stylesheets/publify.css.scss

@@ -7,3 +7,46 @@
   border-bottom: #eee 1px solid;
   font-size: 0.9em;
 }
+
+.markup-help-popup {
+  padding: 0;
+}
+
+.markup-help-popup > div {
+  padding: 1em;
+}
+
+.markup-help-popup-close {
+  float: right;
+  cursor: pointer;
+}
+
+.admintools {
+  display: none;
+}
+
+.admin-tools-reveal:hover .admintools {
+  display: block;
+}
+
+.tag-sidebar-tag-cloud {
+  overflow: hidden;
+}
+
+.tag-sidebar-tag-67 { font-size: 0.67em; }
+.tag-sidebar-tag-75 { font-size: 0.75em; }
+.tag-sidebar-tag-83 { font-size: 0.83em; }
+.tag-sidebar-tag-91 { font-size: 0.91em; }
+.tag-sidebar-tag-100 { font-size: 1em; }
+.tag-sidebar-tag-112 { font-size: 1.12em; }
+.tag-sidebar-tag-125 { font-size: 1.25em; }
+.tag-sidebar-tag-137 { font-size: 1.37em; }
+.tag-sidebar-tag-150 { font-size: 1.50em; }
+.tag-sidebar-tag-162 { font-size: 1.62em; }
+.tag-sidebar-tag-175 { font-size: 1.75em; }
+.tag-sidebar-tag-187 { font-size: 1.87em; }
+.tag-sidebar-tag-200 { font-size: 2em; }
+
+.hidden {
+  display: none;
+}

data/app/assets/stylesheets/publify_admin.css.scss

@@ -3,7 +3,6 @@
  *= require jquery-ui
  *= require tagmanager
  *= require sidebar_admin
- *= require datetimepicker
  */
 // "bootstrap-sprockets" must be imported before "bootstrap" and "bootstrap/variables"
 @import "bootstrap-sprockets";

data/app/controllers/admin/articles_controller.rb

@@ -108,7 +108,7 @@ class Admin::ArticlesController < Admin::BaseController
 
     fetch_fresh_or_existing_draft_for_article
 
-    @article.attributes = params[:article].permit!
+    @article.assign_attributes(update_params)
 
     @article.author = current_user
     @article.save_attachments!(params[:attachments])
@@ -123,9 +123,9 @@ class Admin::ArticlesController < Admin::BaseController
     if @article.save
       flash[:success] = I18n.t("admin.articles.autosave.success")
       @must_update_calendar =
-        (params[:article][:published_at] and
-         params[:article][:published_at].to_time.to_i < Time.zone.now.to_time.to_i and
-         @article.parent_id.nil?)
+        params[:article][:published_at] and
+        params[:article][:published_at].to_time.to_i < Time.zone.now.to_time.to_i and
+        @article.parent_id.nil?
       respond_to do |format|
         format.js
       end

data/app/controllers/admin/dashboard_controller.rb

@@ -1,10 +1,6 @@
 # frozen_string_literal: true
 
 class Admin::DashboardController < Admin::BaseController
-  require "open-uri"
-  require "time"
-  require "rexml/document"
-
   def index
     today = Time.zone.now.strftime("%Y-%m-%d 00:00")
 

data/app/controllers/admin/notes_controller.rb

@@ -23,7 +23,7 @@ class Admin::NotesController < Admin::BaseController
     note = new_note
 
     note.state = "published"
-    note.attributes = params[:note].permit!
+    note.assign_attributes(note_params)
     note.text_filter ||= default_text_filter
     note.published_at ||= Time.zone.now
     if note.save
@@ -41,7 +41,7 @@ class Admin::NotesController < Admin::BaseController
   end
 
   def update
-    @note.attributes = params[:note].permit!
+    @note.assign_attributes(note_params)
     @note.save
     redirect_to admin_notes_url
   end
@@ -54,6 +54,15 @@ class Admin::NotesController < Admin::BaseController
 
   private
 
+  def note_params
+    params.require(:note).permit(:text_filter_name,
+                                 :body,
+                                 :push_to_twitter,
+                                 :in_reply_to_status_id,
+                                 :permalink,
+                                 :published_at)
+  end
+
   def load_existing_notes
     @notes = Note.page(params[:page]).per(this_blog.limit_article_display)
   end

data/app/controllers/admin/seo_controller.rb

@@ -30,7 +30,11 @@ class Admin::SeoController < Admin::BaseController
   private
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(settings_keys)
+  end
+
+  def settings_keys
+    @setting.settings_keys + [:custom_permalink]
   end
 
   VALID_SECTIONS = %w(general titles permalinks).freeze

data/app/controllers/admin/settings_controller.rb

@@ -36,7 +36,7 @@ class Admin::SettingsController < Admin::BaseController
   VALID_ACTIONS = %w(index write feedback display).freeze
 
   def settings_params
-    @settings_params ||= params.require(:setting).permit!
+    @settings_params ||= params.require(:setting).permit(@setting.settings_keys)
   end
 
   def action_param

data/app/controllers/admin/sidebar_controller.rb

@@ -8,9 +8,11 @@ class Admin::SidebarController < Admin::BaseController
 
   # Just update a single active Sidebar instance at once
   def update
-    @sidebar = Sidebar.where(id: params[:id]).first
+    @sidebar = Sidebar.find(params[:id])
     @old_s_index = @sidebar.staged_position || @sidebar.active_position
-    @sidebar.update params[:configure][@sidebar.id.to_s].permit!
+    @sidebar.update params.require(:configure)
+      .require(@sidebar.id.to_s)
+      .permit(@sidebar.fields.map(&:key))
     respond_to do |format|
       format.js
       format.html do

data/app/controllers/admin/themes_controller.rb

@@ -1,22 +1,14 @@
 # frozen_string_literal: true
 
-require "open-uri"
-require "time"
-require "rexml/document"
-
 class Admin::ThemesController < Admin::BaseController
   def index
     @themes = Theme.find_all
-    @themes.each do |theme|
-      # TODO: Move to Theme
-      theme.description_html = TextFilter.none.filter_text(theme.description)
-    end
     @active = this_blog.current_theme
   end
 
   def preview
     theme = Theme.find(params[:theme])
-    send_file File.join(theme.path, "preview.png"),
+    send_file theme.theme_file("preview.png"),
               type: "image/png", disposition: "inline", stream: false
   end
 

data/app/controllers/articles_controller.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class ArticlesController < ContentController
+  include ActionView::Helpers::SanitizeHelper
+
   before_action :login_required, only: [:preview, :preview_page]
   before_action :verify_config
   before_action :auto_discovery_feed, only: [:show, :index]
@@ -127,7 +129,7 @@ class ArticlesController < ContentController
   def markup_help
     filter = TextFilter.make_filter(params[:id])
     if filter
-      render html: filter.commenthelp
+      render html: sanitize(filter.commenthelp)
     else
       render plain: "Unknown filter"
     end

data/app/controllers/comments_controller.rb

@@ -32,7 +32,7 @@ class CommentsController < BaseController
 
   def recaptcha_ok_for?(comment)
     use_recaptcha = comment.blog.use_recaptcha
-    ((use_recaptcha && verify_recaptcha(model: comment)) || !use_recaptcha)
+    (use_recaptcha && verify_recaptcha(model: comment)) || !use_recaptcha
   end
 
   def new_comment_defaults

data/app/helpers/admin/feedback_helper.rb

@@ -16,7 +16,7 @@ module Admin::FeedbackHelper
       change_status(item, context),
       button_to_edit_comment(item),
       button_to_delete_comment(item),
-      button_to_conversation(item),
+      button_to_conversation(item)
     ], " "
   end
 

data/app/helpers/base_helper.rb

@@ -71,21 +71,29 @@ module BaseHelper
 
   def markup_help_popup(markup, text)
     if markup && markup.commenthelp.size > 1
-      link_to(text,
-              url_for(controller: "articles", action: "markup_help", id: markup.name),
-              onclick: "return popup(this, 'Publify Markup Help')")
+      modal = tag.dialog id: "this_markup_help_popup_dialog", class: "markup-help-popup" do
+        tag.div do
+          close_div = tag.div tag.span("\u2a09", class: "markup-help-popup-close")
+          content = tag.div class: "content-target"
+          safe_join [close_div, content]
+        end
+      end
+
+      url = url_for(controller: "articles", action: "markup_help", id: markup.name)
+
+      link = link_to(text, "#", class: "markup-help-popup-link",
+                                data: { target: "this_markup_help_popup_dialog",
+                                        url: url })
+
+      safe_join [modal, link]
     else
       ""
     end
   end
 
-  def onhover_show_admin_tools(type, id = nil)
-    admin_id = "#admin_#{[type, id].compact.join("_")}"
-    tag = []
-    tag << %{ onmouseover="if (getCookie('publify_user_profile') == 'admin')\
-             { $('#{admin_id}').show(); }" }
-    tag << %{ onmouseout="$('#{admin_id}').hide();" }
-    safe_join(tag, " ")
+  # This method's original implementation was broken. Now it does nothing.
+  def onhover_show_admin_tools(_type, _id = nil)
+    ""
   end
 
   def feed_title
@@ -190,7 +198,7 @@ module BaseHelper
   end
 
   def stop_index_robots?(blog)
-    stop = (params[:year].present? || params[:page].present?)
+    stop = params[:year].present? || params[:page].present?
     stop = blog.unindex_tags if controller_name == "tags"
     stop = blog.unindex_categories if controller_name == "categories"
     stop
@@ -216,7 +224,7 @@ module BaseHelper
     elsif !@article.nil?
       @article.feed_url(type)
     elsif !@auto_discovery_url_atom.nil?
-      instance_variable_get("@auto_discovery_url_#{type}")
+      instance_variable_get(:"@auto_discovery_url_#{type}")
     end
   end
 

data/app/models/archives_sidebar.rb

@@ -36,7 +36,7 @@ class ArchivesSidebar < Sidebar
         name: I18n.l(Date.new(year, month), format: "%B %Y"),
         month: month,
         year: year,
-        article_count: entry.count,
+        article_count: entry.count
       }
     end
   end

data/app/models/config_manager.rb

@@ -28,6 +28,10 @@ module ConfigManager
       fields[key.to_s].default
     end
 
+    def settings_keys
+      fields.keys
+    end
+
     private
 
     def add_setting_reader(item)
@@ -65,6 +69,10 @@ module ConfigManager
     self.class.fields[key.to_s].canonicalize(value)
   end
 
+  def settings_keys
+    self.class.settings_keys
+  end
+
   class Item
     VALID_TYPES = [:boolean, :integer, :string, :text].freeze
 

data/app/models/content.rb

@@ -25,10 +25,15 @@ class Content < ApplicationRecord
   scope :drafts, -> { where(state: "draft").order("created_at DESC") }
   scope :no_draft, -> { where.not(state: "draft").order("published_at DESC") }
   scope :searchstring, lambda { |search_string|
+    result = where(state: "published")
+
     tokens = search_string.split(" ").map { |c| "%#{c.downcase}%" }
-    matcher = "(LOWER(body) LIKE ? OR LOWER(extended) LIKE ? OR LOWER(title) LIKE ?)"
-    template = "state = ? AND #{([matcher] * tokens.size).join(" AND ")}"
-    where(template, "published", *tokens.map { |token| [token] * 3 }.flatten)
+    tokens.each do |token|
+      result = result
+        .where("(LOWER(body) LIKE ? OR LOWER(extended) LIKE ? OR LOWER(title) LIKE ?)",
+               token, token, token)
+    end
+    result
   }
 
   scope :published_at_like, lambda { |date_at|

data/app/models/redirect.rb

@@ -17,8 +17,8 @@ class Redirect < ApplicationRecord
     return path if %r{^(https?)://([^/]*)(.*)}.match?(path)
 
     url_root = blog.root_path
-    unless url_root.nil? || path[0, url_root.length] == url_root
-      path = File.join(url_root, path)
+    if url_root.length == 0 || path[0, url_root.length] != url_root
+      path = blog.url_for(path, only_path: true)
     end
     path
   end

data/app/models/tag_sidebar.rb

@@ -18,12 +18,34 @@ class TagSidebar < Sidebar
     average = total.to_f / @tags.size
     @sizes = tags.reduce({}) do |h, tag|
       size = tag.content_counter.to_f / average
-      h.merge tag => size.clamp(2.0 / 3.0, 2) * 100
+      h.merge tag => bucket(size)
     end
   end
 
-  def font_multiplier
-    80
+  BUCKETS = [
+    67,
+    75,
+    83,
+    91,
+    100,
+    112,
+    125,
+    137,
+    150,
+    162,
+    175,
+    187,
+    200
+  ].freeze
+
+  private
+
+  def bucket(size)
+    base_size = size.clamp(2.0 / 3.0, 2) * 100
+    BUCKETS.each do |sz|
+      return sz if sz >= base_size
+    end
+    BUCKETS.last
   end
 end
 

data/app/models/text_filter.rb

@@ -65,7 +65,7 @@ class TextFilter
       markdown,
       smartypants,
       markdown_smartypants,
-      none,
+      none
     ]
   end
 

data/app/uploaders/resource_uploader.rb

@@ -30,7 +30,7 @@ class ResourceUploader < CarrierWave::Uploader::Base
   end
 
   def dynamic_resize_to_fit(size)
-    resize_setting = model.blog.send("image_#{size}_size").to_i
+    resize_setting = model.blog.send(:"image_#{size}_size").to_i
 
     resize_to_fit(resize_setting, resize_setting)
   end

data/app/views/admin/articles/_form.html.erb

@@ -9,7 +9,7 @@
       <span id="preview_link">
         <%= link_to(t('.preview'), { controller: '/articles', action: 'preview', id: @article.id }, { target: 'new', class: 'btn btn-default' }) if @article.id %>
       </span>
-      <input id="save_draft" type="submit" value="<%= t('.save_as_draft') %>" name="article[draft]" class="btn btn-default" />
+      <input id="save_draft" type="submit" value="<%= t('.save_as_draft') %>" name="article[draft]" class="btn btn-default">
       <!-- Button trigger modal -->
       <button class="btn btn-success" data-toggle="modal" type="button" data-target="#publishOptions">
         <%= controller.action_name == 'new' ? t('.publish') : t('.save') %>
@@ -144,7 +144,7 @@
               <%= toggle_element('publish') %>
               </p>
               <div id="publish" class="collapse">
-                <%= text_field 'article', 'published_at' %>
+                <%= datetime_field 'article', 'published_at' %>
                 <p>
                 <span class="btn btn-mini btn-default">
                   <%= toggle_element('publish', t('.ok')) %>

data/app/views/admin/articles/index.html.erb

@@ -8,7 +8,7 @@
 <%= form_tag({ action: 'index' }, { method: :get, name: 'article', remote: true, class: 'form-inline spinnable', "data-update-success": 'articleList' }) do %>
 
   <% if params[:search] and params[:search]['state'] %>
-    <input type="hidden" name="search[state]" value="<%= params[:search]['state'] %>" />
+    <input type="hidden" name="search[state]" value="<%= params[:search]['state'] %>">
   <% end %>
 
   <p>
@@ -20,7 +20,7 @@
   </p>
 
   <div class="panel panel-default">
-    <div class="panel-heading">
+    <div class="panel-heading clearfix">
       <div class="pull-right">
         <div class="form-group">
           <%= select_tag('search[user_id]', options_from_collection_for_select(User.all, 'id', 'name'), prompt: t('.select_an_author'), class: 'form-control') %>
@@ -29,14 +29,13 @@
           <%= select_tag('search[published_at]', options_for_select(Article.publication_months), prompt: t('.publication_date'), class: 'form-control') %>
         </div>
         <div class="form-group">
-          <input id="search" type="text" name="search[searchstring]" class="form-control" />
+          <input id="search" type="text" name="search[searchstring]" class="form-control" autocomplete="off">
         </div>
         <div class="form-group">
           <%= submit_tag(t('.search'), class: 'btn btn-success') %>
-          <span id="spinner" style="display:none;"><%= image_tag('spinner.gif') %></span>
+          <span id="spinner" class="hidden"><%= image_tag('spinner.gif') %></span>
         </div>
       </div>
-      <br style="clear: both" />
     </div>
   </div>
   <table class="table table-hover">