simple_form 3.0.2 → 3.0.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of simple_form might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b0b1424f33f30519ecda1b748031fdbd3a3a5ac8
4
- data.tar.gz: aebd1dbf4c0537ed49040cd5641a892f116b2bc8
3
+ metadata.gz: 152972033f17ccec7bdd5545b5b22cecb7c6a3a9
4
+ data.tar.gz: b678a95634ea7b3738d4c1974bd7247042f5480e
5
5
  SHA512:
6
- metadata.gz: 94c159b4f89974808ddd180935003b32f9023beb9e32878a5c0fdfbd82ef88f3d14f4efc5d748a13f8ce05b3490f05c7ce36002cd9b343486929b214281f811b
7
- data.tar.gz: f003707ac3883c392678b6423cb7912668e18b37473a2c4425cfd2a3e9f4f94e0173152f5bc00aa5aade4dad17b4975960b171e49e157c68a1c4a649307aa8f0
6
+ metadata.gz: fe032128b5adddd88304b1217343d8eacc708c3ba09ea780c4bfd95402ec1ca139bdfee16b416bb4f65815a86586f9387376852e36aa82310ce7ef0d3cc3ed02
7
+ data.tar.gz: 118b632667f29674415488c07c3c881fd5f89746cf3d66764cc6e8ae597b9a04e67f2a89cf592d856abae6d2e0b213429942c7bd9f193e92840a4ea7cd11faf7
@@ -1,3 +1,8 @@
1
+ ## 3.0.3
2
+
3
+ ### bug fix
4
+ * Fix XSS vulnerability on error components.
5
+
1
6
  ## 3.0.2
2
7
 
3
8
  ### enhancements
@@ -12,7 +12,9 @@ module SimpleForm
12
12
  protected
13
13
 
14
14
  def error_text
15
- "#{html_escape(options[:error_prefix])} #{errors.send(error_method)}".lstrip.html_safe
15
+ text = has_error_in_options? ? options[:error] : errors.send(error_method)
16
+
17
+ "#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
16
18
  end
17
19
 
18
20
  def error_method
@@ -30,6 +32,10 @@ module SimpleForm
30
32
  def errors_on_association
31
33
  reflection ? object.errors[reflection.name] : []
32
34
  end
35
+
36
+ def has_error_in_options?
37
+ options[:error] && !options[:error].nil?
38
+ end
33
39
  end
34
40
  end
35
41
  end
@@ -45,7 +45,7 @@ module SimpleForm
45
45
  end
46
46
 
47
47
  # Always enabled.
48
- enable :hint
48
+ enable :hint, :error
49
49
 
50
50
  # Usually disabled, needs to be enabled explicitly passing true as option.
51
51
  disable :maxlength, :placeholder, :pattern, :min_max
@@ -1,3 +1,3 @@
1
1
  module SimpleForm
2
- VERSION = "3.0.2".freeze
2
+ VERSION = "3.0.3".freeze
3
3
  end
@@ -14,6 +14,10 @@ class ErrorTest < ActionView::TestCase
14
14
  end
15
15
  end
16
16
 
17
+ def with_custom_error_for(object, *args)
18
+ with_form_for(object, *args)
19
+ end
20
+
17
21
  test 'error should not generate content for attribute without errors' do
18
22
  with_error_for @user, :active
19
23
  assert_no_select 'span.error'
@@ -32,7 +36,7 @@ class ErrorTest < ActionView::TestCase
32
36
 
33
37
  test 'error should generate messages for attribute with single error' do
34
38
  with_error_for @user, :name
35
- assert_select 'span.error', "can't be blank"
39
+ assert_select 'span.error', "can&#39;t be blank"
36
40
  end
37
41
 
38
42
  test 'error should generate messages for attribute with one error when using first' do
@@ -82,12 +86,21 @@ class ErrorTest < ActionView::TestCase
82
86
 
83
87
  test 'error should escape error prefix text' do
84
88
  with_error_for @user, :name, error_prefix: '<b>Name</b>'
85
- assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can't be blank"
89
+ assert_select 'span.error', "&lt;b&gt;Name&lt;/b&gt; can&#39;t be blank"
90
+ end
91
+
92
+ test 'error escapes error text' do
93
+ @user.errors.merge!(action: ['must not contain <b>markup</b>'])
94
+
95
+ with_error_for @user, :action
96
+
97
+ assert_select 'span.error'
98
+ assert_no_select 'span.error b', 'markup'
86
99
  end
87
100
 
88
101
  test 'error should generate an error message with raw HTML tags' do
89
102
  with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
90
- assert_select 'span.error', "Name can't be blank"
103
+ assert_select 'span.error', "Name can&#39;t be blank"
91
104
  assert_select 'span.error b', "Name"
92
105
  end
93
106
 
@@ -95,7 +108,7 @@ class ErrorTest < ActionView::TestCase
95
108
 
96
109
  test 'full error should generate an full error tag for the attribute' do
97
110
  with_full_error_for @user, :name
98
- assert_select 'span.error', "Super User Name! can't be blank"
111
+ assert_select 'span.error', "Super User Name! can&#39;t be blank"
99
112
  end
100
113
 
101
114
  test 'full error should generate an full error tag with a clean HTML' do
@@ -105,13 +118,13 @@ class ErrorTest < ActionView::TestCase
105
118
 
106
119
  test 'full error should allow passing options to full error tag' do
107
120
  with_full_error_for @user, :name, id: 'name_error', error_prefix: "Your name"
108
- assert_select 'span.error#name_error', "Your name can't be blank"
121
+ assert_select 'span.error#name_error', "Your name can&#39;t be blank"
109
122
  end
110
123
 
111
124
  test 'full error should not modify the options hash' do
112
125
  options = { id: 'name_error' }
113
126
  with_full_error_for @user, :name, options
114
- assert_select 'span.error#name_error', "Super User Name! can't be blank"
127
+ assert_select 'span.error#name_error', "Super User Name! can&#39;t be blank"
115
128
  assert_equal({ id: 'name_error' }, options)
116
129
  end
117
130
 
@@ -120,7 +133,36 @@ class ErrorTest < ActionView::TestCase
120
133
  test 'error with custom wrappers works' do
121
134
  swap_wrapper do
122
135
  with_error_for @user, :name
123
- assert_select 'span.omg_error', "can't be blank"
136
+ assert_select 'span.omg_error', "can&#39;t be blank"
124
137
  end
125
138
  end
139
+
140
+ # CUSTOM ERRORS
141
+
142
+ test 'input with custom error works' do
143
+ with_custom_error_for(@user, :name, error: "Super User Name! can't be blank")
144
+
145
+ assert_select 'span.error', "Super User Name! can&#39;t be blank"
146
+ end
147
+
148
+ test 'input with custom error does not generate the error if there is no error on the attribute' do
149
+ error_text = "Super User Active! can't be blank"
150
+ with_form_for @user, :active, error: error_text
151
+
152
+ assert_no_select 'span.error'
153
+ end
154
+
155
+ test 'input with custom error escapes the error text' do
156
+ with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
157
+
158
+ assert_select 'span.error'
159
+ assert_no_select 'span.error b', 'markup'
160
+ end
161
+
162
+ test 'input with custom error does not escape the error text if it is safe' do
163
+ with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
164
+
165
+ assert_select 'span.error'
166
+ assert_select 'span.error b', 'markup'
167
+ end
126
168
  end
@@ -302,7 +302,7 @@ class FormBuilderTest < ActionView::TestCase
302
302
 
303
303
  test 'builder should generate errors for attribute with errors' do
304
304
  with_form_for @user, :name
305
- assert_select 'span.error', "can't be blank"
305
+ assert_select 'span.error', "can&#39;t be blank"
306
306
  end
307
307
 
308
308
  test 'builder should be able to disable showing errors for a input' do
@@ -312,7 +312,7 @@ class FormBuilderTest < ActionView::TestCase
312
312
 
313
313
  test 'builder should pass options to errors' do
314
314
  with_form_for @user, :name, error_html: { id: "cool" }
315
- assert_select 'span.error#cool', "can't be blank"
315
+ assert_select 'span.error#cool', "can&#39;t be blank"
316
316
  end
317
317
 
318
318
  test 'placeholder should not be generated when set to false' do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simple_form
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.0.2
4
+ version: 3.0.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - José Valim
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2014-04-09 00:00:00.000000000 Z
13
+ date: 2014-11-25 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: activemodel