simple_form 2.1.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 27282450639f5fb5ad27d5c59f274aab91a4be7a
-  data.tar.gz: 1ded8f66c7a18f3ea2679ab4da49f9851e8293c1
+  metadata.gz: c4f641b8e74ebf64e3fb7fe4ebe925c64713eb13
+  data.tar.gz: e74db71fa1d985a906d520673cf82504470c16dd
 SHA512:
-  metadata.gz: 4354640ba60801f7150c215638d03fe65f446c94ec30f93aafafe23a991a64b3789cc39a5f61b86708acd3cbd4fdedd078e29bf35c62e58ac930f436c5320ba6
-  data.tar.gz: 3b8dd8220e0b56ec8a6893ac0c20a60dd4950f98b4297fc197de2c28c76f2cbd9adae3dc7f0c854b7dfe9542a514b6f333257869bbf99e5fcd53fa5f7c35cdc1
+  metadata.gz: bc974c636d805808f4b5fd47e9eec4c656ae53b680113f03eea075dac24a7607c773e1243ceff8201bced0fc849c752def0130efefe5b9d7a24c6e85fc4e176a
+  data.tar.gz: f7a7f67d9ce616e8f7697558ca957cf2701641c0a149eb06b0dab2b60ba17833f432f7bdeeaf29312ff7606acf70971dea86b8ec4f19198ff6420aa7421d646e

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 2.1.2
+
+### bug fix
+  * Fix XSS vulnerability on error components.
+
 ## 2.1.1
 
 ### bug fix

data/lib/simple_form/components/errors.rb

@@ -12,7 +12,9 @@ module SimpleForm
       protected
 
       def error_text
-        "#{html_escape(options[:error_prefix])} #{errors.send(error_method)}".lstrip.html_safe
+        text = has_error_in_options? ? options[:error] : errors.send(error_method)
+
+        "#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
       end
 
       def error_method
@@ -30,6 +32,10 @@ module SimpleForm
       def errors_on_association
         reflection ? object.errors[reflection.name] : []
       end
+
+      def has_error_in_options?
+        options[:error] && !options[:error].nil?
+      end
     end
   end
 end

data/lib/simple_form/inputs/base.rb

@@ -45,7 +45,7 @@ module SimpleForm
       end
 
       # Always enabled.
-      enable :hint
+      enable :hint, :error
 
       # Usually disabled, needs to be enabled explicitly passing true as option.
       disable :maxlength, :placeholder, :pattern, :min_max

data/lib/simple_form/version.rb

@@ -1,3 +1,3 @@
 module SimpleForm
-  VERSION = "2.1.1".freeze
+  VERSION = "2.1.2".freeze
 end

data/test/form_builder/error_test.rb

@@ -14,6 +14,10 @@ class ErrorTest < ActionView::TestCase
     end
   end
 
+  def with_custom_error_for(object, *args)
+    with_form_for(object, *args)
+  end
+
   test 'error should not generate content for attribute without errors' do
     with_error_for @user, :active
     assert_no_select 'span.error'
@@ -32,7 +36,7 @@ class ErrorTest < ActionView::TestCase
 
   test 'error should generate messages for attribute with single error' do
     with_error_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "can&#x27;t be blank"
   end
 
   test 'error should generate messages for attribute with one error when using first' do
@@ -82,12 +86,21 @@ class ErrorTest < ActionView::TestCase
 
   test 'error should escape error prefix text' do
     with_error_for @user, :name, :error_prefix => '<b>Name</b>'
-    assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can't be blank"
+    assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can&#x27;t be blank"
+  end
+
+  test 'error escapes error text' do
+    @user.errors.merge!(:action => ['must not contain <b>markup</b>'])
+
+    with_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
   end
 
   test 'error should generate an error message with raw HTML tags' do
     with_error_for @user, :name, :error_prefix => '<b>Name</b>'.html_safe
-    assert_select 'span.error', "Name can't be blank"
+    assert_select 'span.error', "Name can&#x27;t be blank"
     assert_select 'span.error b', "Name"
   end
 
@@ -95,7 +108,7 @@ class ErrorTest < ActionView::TestCase
 
   test 'full error should generate an full error tag for the attribute' do
     with_full_error_for @user, :name
-    assert_select 'span.error', "Super User Name! can't be blank"
+    assert_select 'span.error', "Super User Name! can&#x27;t be blank"
   end
 
   test 'full error should generate an full error tag with a clean HTML' do
@@ -105,13 +118,13 @@ class ErrorTest < ActionView::TestCase
 
   test 'full error should allow passing options to full error tag' do
     with_full_error_for @user, :name, :id => 'name_error', :error_prefix => "Your name"
-    assert_select 'span.error#name_error', "Your name can't be blank"
+    assert_select 'span.error#name_error', "Your name can&#x27;t be blank"
   end
 
   test 'full error should not modify the options hash' do
     options = { :id => 'name_error' }
     with_full_error_for @user, :name, options
-    assert_select 'span.error#name_error', "Super User Name! can't be blank"
+    assert_select 'span.error#name_error', "Super User Name! can&#x27;t be blank"
     assert_equal({ :id => 'name_error' }, options)
   end
 
@@ -120,7 +133,36 @@ class ErrorTest < ActionView::TestCase
   test 'error with custom wrappers works' do
     swap_wrapper do
       with_error_for @user, :name
-      assert_select 'span.omg_error', "can't be blank"
+      assert_select 'span.omg_error', "can&#x27;t be blank"
     end
   end
+
+  # CUSTOM ERRORS
+
+  test 'input with custom error works' do
+    with_custom_error_for(@user, :name, :error => "Super User Name! can't be blank")
+
+    assert_select 'span.error', "Super User Name! can&#x27;t be blank"
+  end
+
+  test 'input with custom error does not generate the error if there is no error on the attribute' do
+    error_text = "Super User Active! can't be blank"
+    with_form_for @user, :active, :error => error_text
+
+    assert_no_select 'span.error'
+  end
+
+  test 'input with custom error escapes the error text' do
+    with_form_for @user, :name, :error => 'error must not contain <b>markup</b>'
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error does not escape the error text if it is safe' do
+    with_form_for @user, :name, :error => 'error must contain <b>markup</b>'.html_safe
+
+    assert_select 'span.error'
+    assert_select 'span.error b', 'markup'
+  end
 end

data/test/form_builder/general_test.rb

@@ -283,7 +283,7 @@ class FormBuilderTest < ActionView::TestCase
 
   test 'builder should generate errors for attribute with errors' do
     with_form_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "can&#x27;t be blank"
   end
 
   test 'builder should be able to disable showing errors for a input' do
@@ -293,7 +293,7 @@ class FormBuilderTest < ActionView::TestCase
 
   test 'builder should pass options to errors' do
     with_form_for @user, :name, :error_html => { :id => "cool" }
-    assert_select 'span.error#cool', "can't be blank"
+    assert_select 'span.error#cool', "can&#x27;t be blank"
   end
 
   test 'placeholder should not be generated when set to false' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simple_form
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.1.2
 platform: ruby
 authors:
 - José Valim
@@ -10,34 +10,34 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-29 00:00:00.000000000 Z
+date: 2014-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
   name: actionpack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
 description: Forms made easy!
@@ -49,7 +49,9 @@ files:
 - CHANGELOG.md
 - MIT-LICENSE
 - README.md
+- lib/generators/simple_form/USAGE
 - lib/generators/simple_form/install_generator.rb
+- lib/generators/simple_form/templates/README
 - lib/generators/simple_form/templates/_form.html.erb
 - lib/generators/simple_form/templates/_form.html.haml
 - lib/generators/simple_form/templates/_form.html.slim
@@ -57,10 +59,10 @@ files:
 - lib/generators/simple_form/templates/config/initializers/simple_form_bootstrap.rb
 - lib/generators/simple_form/templates/config/initializers/simple_form_foundation.rb
 - lib/generators/simple_form/templates/config/locales/simple_form.en.yml
-- lib/generators/simple_form/templates/README
-- lib/generators/simple_form/USAGE
+- lib/simple_form.rb
 - lib/simple_form/action_view_extensions/builder.rb
 - lib/simple_form/action_view_extensions/form_helper.rb
+- lib/simple_form/components.rb
 - lib/simple_form/components/errors.rb
 - lib/simple_form/components/hints.rb
 - lib/simple_form/components/html5.rb
@@ -71,17 +73,17 @@ files:
 - lib/simple_form/components/pattern.rb
 - lib/simple_form/components/placeholders.rb
 - lib/simple_form/components/readonly.rb
-- lib/simple_form/components.rb
 - lib/simple_form/core_ext/hash.rb
 - lib/simple_form/error_notification.rb
 - lib/simple_form/form_builder.rb
+- lib/simple_form/helpers.rb
 - lib/simple_form/helpers/autofocus.rb
 - lib/simple_form/helpers/disabled.rb
 - lib/simple_form/helpers/readonly.rb
 - lib/simple_form/helpers/required.rb
 - lib/simple_form/helpers/validators.rb
-- lib/simple_form/helpers.rb
 - lib/simple_form/i18n_cache.rb
+- lib/simple_form/inputs.rb
 - lib/simple_form/inputs/base.rb
 - lib/simple_form/inputs/block_input.rb
 - lib/simple_form/inputs/boolean_input.rb
@@ -99,15 +101,13 @@ files:
 - lib/simple_form/inputs/range_input.rb
 - lib/simple_form/inputs/string_input.rb
 - lib/simple_form/inputs/text_input.rb
-- lib/simple_form/inputs.rb
 - lib/simple_form/map_type.rb
 - lib/simple_form/version.rb
+- lib/simple_form/wrappers.rb
 - lib/simple_form/wrappers/builder.rb
 - lib/simple_form/wrappers/many.rb
 - lib/simple_form/wrappers/root.rb
 - lib/simple_form/wrappers/single.rb
-- lib/simple_form/wrappers.rb
-- lib/simple_form.rb
 - test/action_view_extensions/builder_test.rb
 - test/action_view_extensions/form_helper_test.rb
 - test/components/label_test.rb
@@ -153,17 +153,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: simple_form
-rubygems_version: 2.1.11
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Forms made easy!