solidus_frontend 1.2.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4ae49895abb6cc6d9c3b3cd6425d18a566259693
-  data.tar.gz: 81390b269cb6fe10933e69970f6e2ba40fc78398
+  metadata.gz: bf1db423979f0c9685b61f7b4a46325531b2593e
+  data.tar.gz: 87c7ea5b90201cb27118fc233650ff8f39a85378
 SHA512:
-  metadata.gz: 20fba2fd3216c1bb77b85ab5e984f6bba650b16684a046af88c4f476e9b28d5acdc216f2c270d6b267a83f53a3e5ab90aa80c17e3e4da5b2d3fac543ddc185a5
-  data.tar.gz: ad69fb55bfa2f10b6f427904ab1d6be6ef94ca1820efb2b83eaee3fe0a9de86e4becdcc0014fd70cf311f31ab2db109aec6252f21ff7b517e67cccb5cc821167
+  metadata.gz: 3ba45cb920ff00edab1abb6d59dc5ba30533cdd598d0c70632f386b632477aa71a37f2aea3500f68e7fdbad1561ada2ce89da8451c3f7f852f817c7fd7404113
+  data.tar.gz: 2aae6ce33af5d61b60ab9f904ab85b99fc46692fd5b95e395ccd8dd6db447def49ca5e7f91d18b26d35735be23af77a4737a3b23b90eb5374e6f45c9597a4102

data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee

@@ -1,5 +1,8 @@
 $ ->
   if $('#checkout_form_address').is('*')
+    # Hidden by default to support browsers with javascript disabled
+    $('.js-address-fields').show()
+
     $('#checkout_form_address').validate()
 
     getCountryId = (region) ->

data/app/views/spree/address/_form.html.erb

@@ -38,24 +38,24 @@
       <% have_states = !address.country.states.empty? %>
       <%= form.label :state, Spree.t(:state) %><span class='required' id=<%="#{address_id}state-required"%>>*</span><br/>
 
-      <% state_elements = [
-         form.collection_select(:state_id, address.country.states,
-                            :id, :name,
-                            {:include_blank => true},
-                            {:class => have_states ? 'required' : 'hidden',
-                            :disabled => !have_states}) +
-         form.text_field(:state_name,
-                            :class => !have_states ? 'required' : 'hidden',
-                            :disabled => have_states)
-         ].join.gsub('"', "'").gsub("\n", "")
-      %>
-      <%= javascript_tag do -%>
-        $('#<%="#{address_id}state" %>').append("<%== state_elements %>");
-      <% end %>
-    </p>
+      <span class="js-address-fields" style="display: none;">
+        <%= form.collection_select(
+          :state_id, address.country.states, :id, :name,
+          {include_blank: true},
+          {
+            class: have_states ? 'required' : 'hidden',
+            disabled: !have_states
+          }) %>
+        <%= form.text_field(
+          :state_name,
+          class: !have_states ? 'required' : 'hidden',
+          disabled: have_states) %>
+      </span>
+
       <noscript>
         <%= form.text_field :state_name, :class => 'required' %>
       </noscript>
+    </p>
   <% end %>
 
   <p class="field" id=<%="#{address_id}zipcode" %>>

data/spec/features/checkout_spec.rb

@@ -457,6 +457,43 @@ describe "Checkout", type: :feature, inaccessible: true do
     end
   end
 
+  context "with attempted XSS", js: true do
+    shared_examples "safe from XSS" do
+      # We need a country with states required but no states so that we have
+      # access to the state_name input
+      let!(:canada) { create(:country, name: 'Canada', iso: "CA", states_required: true) }
+      before do
+        canada.states.destroy_all
+        zone.members.create!(zoneable: canada)
+      end
+
+      it "displays the entered state name without evaluating" do
+        add_mug_to_cart
+        visit spree.checkout_state_path(:address)
+        fill_in_address
+
+        state_name_css = "order_bill_address_attributes_state_name"
+
+        select "Canada", from: "order_bill_address_attributes_country_id"
+        fill_in state_name_css, with: xss_string
+        fill_in "Zip", with: "H0H0H0"
+
+        click_on 'Save and Continue'
+        visit spree.checkout_state_path(:address)
+
+        expect(page).to have_field(state_name_css, with: xss_string)
+      end
+    end
+
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    include_examples "safe from XSS"
+
+    context "escaped XSS string" do
+      let(:xss_string) { '\x27\x3e\x3cscript\x3ethrow(\x27XSS\x27)\x3c/script\x3e' }
+      include_examples "safe from XSS"
+    end
+  end
+
   def fill_in_address
     address = "order_bill_address_attributes"
     fill_in "#{address}_firstname", with: "Ryan"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_frontend
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-26 00:00:00.000000000 Z
+date: 2016-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
 - !ruby/object:Gem::Dependency
   name: solidus_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.2.0
+        version: 1.2.1
 - !ruby/object:Gem::Dependency
   name: canonical-rails
   requirement: !ruby/object:Gem::Requirement