solidus_frontend 1.1.2 → 1.1.3

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of solidus_frontend might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee +3 -0
  3. data/app/views/spree/address/_form.html.erb +15 -15
  4. data/spec/features/checkout_spec.rb +37 -0
  5. metadata +7 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b552cdbe9b2972fe263c3f0b38b1af9692af6789
4
- data.tar.gz: e9e2ea8bd309a4414d131ad9ebbd29b09a1d1e92
3
+ metadata.gz: 34b397ccff6674c985a10c902763205736142b68
4
+ data.tar.gz: 92c84ff71a8d92b971d5a6eb6acac0fa5f215b85
5
5
  SHA512:
6
- metadata.gz: 76e832df51747f479b671ea13dce638582271a43d372f0a5560aee07ee621aeb0ab3f9144fe9cf6fea6740534d9a13788f8753f908c39f06c5308af782ad48e2
7
- data.tar.gz: ece18a6f30e8189eea7f931ef5d05718b188d7e7fb80e66cc364fb8c3236c6beb8706febf64dcdab0a3b6a6f2bba74bdcc036f7e7756f3f43662a5bf43b13062
6
+ metadata.gz: 2dbac571f495276e846a49122816b81890f4de1a5040a8d8695e3458e4df0c8f00aa4b7b60e72dd59bee4a8ac53cd953f8a94f6045d7cce619c8994439376ad3
7
+ data.tar.gz: 664e2909ea113f18a748eec216ac86b7a1fffacdeb9557f60c1f026a751ac994b9c8ae9b287ed5a820c45e234c8b43a49ab8d0dbc22d8e7b57af622a0e27ab43
data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee CHANGED
@@ -1,5 +1,8 @@
1
1
  $ ->
2
2
  if $('#checkout_form_address').is('*')
3
+ # Hidden by default to support browsers with javascript disabled
4
+ $('.js-address-fields').show()
5
+
3
6
  $('#checkout_form_address').validate()
4
7
 
5
8
  getCountryId = (region) ->
data/app/views/spree/address/_form.html.erb CHANGED
@@ -38,24 +38,24 @@
38
38
  <% have_states = !address.country.states.empty? %>
39
39
  <%= form.label :state, Spree.t(:state) %><span class='required' id=<%="#{address_id}state-required"%>>*</span><br/>
40
40
 
41
- <% state_elements = [
42
- form.collection_select(:state_id, address.country.states,
43
- :id, :name,
44
- {:include_blank => true},
45
- {:class => have_states ? 'required' : 'hidden',
46
- :disabled => !have_states}) +
47
- form.text_field(:state_name,
48
- :class => !have_states ? 'required' : 'hidden',
49
- :disabled => have_states)
50
- ].join.gsub('"', "'").gsub("\n", "")
51
- %>
52
- <%= javascript_tag do -%>
53
- $('#<%="#{address_id}state" %>').append("<%== state_elements %>");
54
- <% end %>
55
- </p>
41
+ <span class="js-address-fields" style="display: none;">
42
+ <%= form.collection_select(
43
+ :state_id, address.country.states, :id, :name,
44
+ {include_blank: true},
45
+ {
46
+ class: have_states ? 'required' : 'hidden',
47
+ disabled: !have_states
48
+ }) %>
49
+ <%= form.text_field(
50
+ :state_name,
51
+ class: !have_states ? 'required' : 'hidden',
52
+ disabled: have_states) %>
53
+ </span>
54
+
56
55
  <noscript>
57
56
  <%= form.text_field :state_name, :class => 'required' %>
58
57
  </noscript>
58
+ </p>
59
59
  <% end %>
60
60
 
61
61
  <p class="field" id=<%="#{address_id}zipcode" %>>
data/spec/features/checkout_spec.rb CHANGED
@@ -457,6 +457,43 @@ describe "Checkout", type: :feature, inaccessible: true do
457
457
  end
458
458
  end
459
459
 
460
+ context "with attempted XSS", js: true do
461
+ shared_examples "safe from XSS" do
462
+ # We need a country with states required but no states so that we have
463
+ # access to the state_name input
464
+ let!(:canada) { create(:country, name: 'Canada', iso: "CA", states_required: true) }
465
+ before do
466
+ canada.states.destroy_all
467
+ zone.members.create!(zoneable: canada)
468
+ end
469
+
470
+ it "displays the entered state name without evaluating" do
471
+ add_mug_to_cart
472
+ visit spree.checkout_state_path(:address)
473
+ fill_in_address
474
+
475
+ state_name_css = "order_bill_address_attributes_state_name"
476
+
477
+ select "Canada", from: "order_bill_address_attributes_country_id"
478
+ fill_in state_name_css, with: xss_string
479
+ fill_in "Zip", with: "H0H0H0"
480
+
481
+ click_on 'Save and Continue'
482
+ visit spree.checkout_state_path(:address)
483
+
484
+ expect(page).to have_field(state_name_css, with: xss_string)
485
+ end
486
+ end
487
+
488
+ let(:xss_string) { %(<script>throw("XSS")</script>) }
489
+ include_examples "safe from XSS"
490
+
491
+ context "escaped XSS string" do
492
+ let(:xss_string) { '\x27\x3e\x3cscript\x3ethrow(\x27XSS\x27)\x3c/script\x3e' }
493
+ include_examples "safe from XSS"
494
+ end
495
+ end
496
+
460
497
  def fill_in_address
461
498
  address = "order_bill_address_attributes"
462
499
  fill_in "#{address}_firstname", with: "Ryan"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: solidus_frontend
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.2
4
+ version: 1.1.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Solidus Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-01-22 00:00:00.000000000 Z
11
+ date: 2016-02-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 1.1.2
19
+ version: 1.1.3
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 1.1.2
26
+ version: 1.1.3
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: solidus_core
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 1.1.2
33
+ version: 1.1.3
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 1.1.2
40
+ version: 1.1.3
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: canonical-rails
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -560,3 +560,4 @@ signing_key:
560
560
  specification_version: 4
561
561
  summary: Cart and storefront for the Solidus e-commerce project.
562
562
  test_files: []
563
+ has_rdoc: