RubyGems - solidus_frontend - Versions diffs - 1.1.2 → 1.1.3 - Mend

solidus_frontend 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of solidus_frontend might be problematic. Click here for more details.

Files changed (5) hide show

checksums.yaml +4 -4
data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee +3 -0
data/app/views/spree/address/_form.html.erb +15 -15
data/spec/features/checkout_spec.rb +37 -0
metadata +7 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b552cdbe9b2972fe263c3f0b38b1af9692af6789
-  data.tar.gz: e9e2ea8bd309a4414d131ad9ebbd29b09a1d1e92
+  metadata.gz: 34b397ccff6674c985a10c902763205736142b68
+  data.tar.gz: 92c84ff71a8d92b971d5a6eb6acac0fa5f215b85
 SHA512:
-  metadata.gz: 76e832df51747f479b671ea13dce638582271a43d372f0a5560aee07ee621aeb0ab3f9144fe9cf6fea6740534d9a13788f8753f908c39f06c5308af782ad48e2
-  data.tar.gz: ece18a6f30e8189eea7f931ef5d05718b188d7e7fb80e66cc364fb8c3236c6beb8706febf64dcdab0a3b6a6f2bba74bdcc036f7e7756f3f43662a5bf43b13062
+  metadata.gz: 2dbac571f495276e846a49122816b81890f4de1a5040a8d8695e3458e4df0c8f00aa4b7b60e72dd59bee4a8ac53cd953f8a94f6045d7cce619c8994439376ad3
+  data.tar.gz: 664e2909ea113f18a748eec216ac86b7a1fffacdeb9557f60c1f026a751ac994b9c8ae9b287ed5a820c45e234c8b43a49ab8d0dbc22d8e7b57af622a0e27ab43

data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee CHANGED Viewed

@@ -1,5 +1,8 @@
 $ ->
   if $('#checkout_form_address').is('*')
+    # Hidden by default to support browsers with javascript disabled
+    $('.js-address-fields').show()
     $('#checkout_form_address').validate()
     getCountryId = (region) ->

data/app/views/spree/address/_form.html.erb CHANGED Viewed

@@ -38,24 +38,24 @@
       <% have_states = !address.country.states.empty? %>
       <%= form.label :state, Spree.t(:state) %><span class='required' id=<%="#{address_id}state-required"%>>*</span><br/>
-      <% state_elements = [
-         form.collection_select(:state_id, address.country.states,
-                            :id, :name,
-                            {:include_blank => true},
-                            {:class => have_states ? 'required' : 'hidden',
-                            :disabled => !have_states}) +
-         form.text_field(:state_name,
-                            :class => !have_states ? 'required' : 'hidden',
-                            :disabled => have_states)
-         ].join.gsub('"', "'").gsub("\n", "")
-      %>
-      <%= javascript_tag do -%>
-        $('#<%="#{address_id}state" %>').append("<%== state_elements %>");
-      <% end %>
-    </p>
+      <span class="js-address-fields" style="display: none;">
+        <%= form.collection_select(
+          :state_id, address.country.states, :id, :name,
+          {include_blank: true},
+          {
+            class: have_states ? 'required' : 'hidden',
+            disabled: !have_states
+          }) %>
+        <%= form.text_field(
+          :state_name,
+          class: !have_states ? 'required' : 'hidden',
+          disabled: have_states) %>
+      </span>
       <noscript>
         <%= form.text_field :state_name, :class => 'required' %>
       </noscript>
+    </p>
   <% end %>
   <p class="field" id=<%="#{address_id}zipcode" %>>

data/spec/features/checkout_spec.rb CHANGED Viewed

@@ -457,6 +457,43 @@ describe "Checkout", type: :feature, inaccessible: true do
     end
   end
+  context "with attempted XSS", js: true do
+    shared_examples "safe from XSS" do
+      # We need a country with states required but no states so that we have
+      # access to the state_name input
+      let!(:canada) { create(:country, name: 'Canada', iso: "CA", states_required: true) }
+      before do
+        canada.states.destroy_all
+        zone.members.create!(zoneable: canada)
+      end
+      it "displays the entered state name without evaluating" do
+        add_mug_to_cart
+        visit spree.checkout_state_path(:address)
+        fill_in_address
+        state_name_css = "order_bill_address_attributes_state_name"
+        select "Canada", from: "order_bill_address_attributes_country_id"
+        fill_in state_name_css, with: xss_string
+        fill_in "Zip", with: "H0H0H0"
+        click_on 'Save and Continue'
+        visit spree.checkout_state_path(:address)
+        expect(page).to have_field(state_name_css, with: xss_string)
+      end
+    end
+    let(:xss_string) { %(<script>throw("XSS")</script>) }
+    include_examples "safe from XSS"
+    context "escaped XSS string" do
+      let(:xss_string) { '\x27\x3e\x3cscript\x3ethrow(\x27XSS\x27)\x3c/script\x3e' }
+      include_examples "safe from XSS"
+    end
+  end
   def fill_in_address
     address = "order_bill_address_attributes"
     fill_in "#{address}_firstname", with: "Ryan"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_frontend
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.1.3
 platform: ruby
 authors:
 - Solidus Team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-01-22 00:00:00.000000000 Z
+date: 2016-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: 1.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: 1.1.3
 - !ruby/object:Gem::Dependency
   name: solidus_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: 1.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.2
+        version: 1.1.3
 - !ruby/object:Gem::Dependency
   name: canonical-rails
   requirement: !ruby/object:Gem::Requirement
@@ -560,3 +560,4 @@ signing_key:
 specification_version: 4
 summary: Cart and storefront for the Solidus e-commerce project.
 test_files: []
+has_rdoc: