simple_form 3.0.2 → 3.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b0b1424f33f30519ecda1b748031fdbd3a3a5ac8
-  data.tar.gz: aebd1dbf4c0537ed49040cd5641a892f116b2bc8
+  metadata.gz: 152972033f17ccec7bdd5545b5b22cecb7c6a3a9
+  data.tar.gz: b678a95634ea7b3738d4c1974bd7247042f5480e
 SHA512:
-  metadata.gz: 94c159b4f89974808ddd180935003b32f9023beb9e32878a5c0fdfbd82ef88f3d14f4efc5d748a13f8ce05b3490f05c7ce36002cd9b343486929b214281f811b
-  data.tar.gz: f003707ac3883c392678b6423cb7912668e18b37473a2c4425cfd2a3e9f4f94e0173152f5bc00aa5aade4dad17b4975960b171e49e157c68a1c4a649307aa8f0
+  metadata.gz: fe032128b5adddd88304b1217343d8eacc708c3ba09ea780c4bfd95402ec1ca139bdfee16b416bb4f65815a86586f9387376852e36aa82310ce7ef0d3cc3ed02
+  data.tar.gz: 118b632667f29674415488c07c3c881fd5f89746cf3d66764cc6e8ae597b9a04e67f2a89cf592d856abae6d2e0b213429942c7bd9f193e92840a4ea7cd11faf7

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 3.0.3
+
+### bug fix
+  * Fix XSS vulnerability on error components.
+
 ## 3.0.2
 
 ### enhancements

data/lib/simple_form/components/errors.rb

@@ -12,7 +12,9 @@ module SimpleForm
       protected
 
       def error_text
-        "#{html_escape(options[:error_prefix])} #{errors.send(error_method)}".lstrip.html_safe
+        text = has_error_in_options? ? options[:error] : errors.send(error_method)
+
+        "#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
       end
 
       def error_method
@@ -30,6 +32,10 @@ module SimpleForm
       def errors_on_association
         reflection ? object.errors[reflection.name] : []
       end
+
+      def has_error_in_options?
+        options[:error] && !options[:error].nil?
+      end
     end
   end
 end

data/lib/simple_form/inputs/base.rb

@@ -45,7 +45,7 @@ module SimpleForm
       end
 
       # Always enabled.
-      enable :hint
+      enable :hint, :error
 
       # Usually disabled, needs to be enabled explicitly passing true as option.
       disable :maxlength, :placeholder, :pattern, :min_max

data/lib/simple_form/version.rb

@@ -1,3 +1,3 @@
 module SimpleForm
-  VERSION = "3.0.2".freeze
+  VERSION = "3.0.3".freeze
 end

data/test/form_builder/error_test.rb

@@ -14,6 +14,10 @@ class ErrorTest < ActionView::TestCase
     end
   end
 
+  def with_custom_error_for(object, *args)
+    with_form_for(object, *args)
+  end
+
   test 'error should not generate content for attribute without errors' do
     with_error_for @user, :active
     assert_no_select 'span.error'
@@ -32,7 +36,7 @@ class ErrorTest < ActionView::TestCase
 
   test 'error should generate messages for attribute with single error' do
     with_error_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "can&#39;t be blank"
   end
 
   test 'error should generate messages for attribute with one error when using first' do
@@ -82,12 +86,21 @@ class ErrorTest < ActionView::TestCase
 
   test 'error should escape error prefix text' do
     with_error_for @user, :name, error_prefix: '<b>Name</b>'
-    assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can't be blank"
+    assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can&#39;t be blank"
+  end
+
+  test 'error escapes error text' do
+    @user.errors.merge!(action: ['must not contain <b>markup</b>'])
+
+    with_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
   end
 
   test 'error should generate an error message with raw HTML tags' do
     with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
-    assert_select 'span.error', "Name can't be blank"
+    assert_select 'span.error', "Name can&#39;t be blank"
     assert_select 'span.error b', "Name"
   end
 
@@ -95,7 +108,7 @@ class ErrorTest < ActionView::TestCase
 
   test 'full error should generate an full error tag for the attribute' do
     with_full_error_for @user, :name
-    assert_select 'span.error', "Super User Name! can't be blank"
+    assert_select 'span.error', "Super User Name! can&#39;t be blank"
   end
 
   test 'full error should generate an full error tag with a clean HTML' do
@@ -105,13 +118,13 @@ class ErrorTest < ActionView::TestCase
 
   test 'full error should allow passing options to full error tag' do
     with_full_error_for @user, :name, id: 'name_error', error_prefix: "Your name"
-    assert_select 'span.error#name_error', "Your name can't be blank"
+    assert_select 'span.error#name_error', "Your name can&#39;t be blank"
   end
 
   test 'full error should not modify the options hash' do
     options = { id: 'name_error' }
     with_full_error_for @user, :name, options
-    assert_select 'span.error#name_error', "Super User Name! can't be blank"
+    assert_select 'span.error#name_error', "Super User Name! can&#39;t be blank"
     assert_equal({ id: 'name_error' }, options)
   end
 
@@ -120,7 +133,36 @@ class ErrorTest < ActionView::TestCase
   test 'error with custom wrappers works' do
     swap_wrapper do
       with_error_for @user, :name
-      assert_select 'span.omg_error', "can't be blank"
+      assert_select 'span.omg_error', "can&#39;t be blank"
     end
   end
+
+  # CUSTOM ERRORS
+
+  test 'input with custom error works' do
+    with_custom_error_for(@user, :name, error: "Super User Name! can't be blank")
+
+    assert_select 'span.error', "Super User Name! can&#39;t be blank"
+  end
+
+  test 'input with custom error does not generate the error if there is no error on the attribute' do
+    error_text = "Super User Active! can't be blank"
+    with_form_for @user, :active, error: error_text
+
+    assert_no_select 'span.error'
+  end
+
+  test 'input with custom error escapes the error text' do
+    with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error does not escape the error text if it is safe' do
+    with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
+
+    assert_select 'span.error'
+    assert_select 'span.error b', 'markup'
+  end
 end

data/test/form_builder/general_test.rb

@@ -302,7 +302,7 @@ class FormBuilderTest < ActionView::TestCase
 
   test 'builder should generate errors for attribute with errors' do
     with_form_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "can&#39;t be blank"
   end
 
   test 'builder should be able to disable showing errors for a input' do
@@ -312,7 +312,7 @@ class FormBuilderTest < ActionView::TestCase
 
   test 'builder should pass options to errors' do
     with_form_for @user, :name, error_html: { id: "cool" }
-    assert_select 'span.error#cool', "can't be blank"
+    assert_select 'span.error#cool', "can&#39;t be blank"
   end
 
   test 'placeholder should not be generated when set to false' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: simple_form
 version: !ruby/object:Gem::Version
-  version: 3.0.2
+  version: 3.0.3
 platform: ruby
 authors:
 - José Valim
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-09 00:00:00.000000000 Z
+date: 2014-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel