solidus_frontend 1.2.0 → 1.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of solidus_frontend might be problematic. Click here for more details.

Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee +3 -0
  3. data/app/views/spree/address/_form.html.erb +15 -15
  4. data/spec/features/checkout_spec.rb +37 -0
  5. metadata +6 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 4ae49895abb6cc6d9c3b3cd6425d18a566259693
4
- data.tar.gz: 81390b269cb6fe10933e69970f6e2ba40fc78398
3
+ metadata.gz: bf1db423979f0c9685b61f7b4a46325531b2593e
4
+ data.tar.gz: 87c7ea5b90201cb27118fc233650ff8f39a85378
5
5
  SHA512:
6
- metadata.gz: 20fba2fd3216c1bb77b85ab5e984f6bba650b16684a046af88c4f476e9b28d5acdc216f2c270d6b267a83f53a3e5ab90aa80c17e3e4da5b2d3fac543ddc185a5
7
- data.tar.gz: ad69fb55bfa2f10b6f427904ab1d6be6ef94ca1820efb2b83eaee3fe0a9de86e4becdcc0014fd70cf311f31ab2db109aec6252f21ff7b517e67cccb5cc821167
6
+ metadata.gz: 3ba45cb920ff00edab1abb6d59dc5ba30533cdd598d0c70632f386b632477aa71a37f2aea3500f68e7fdbad1561ada2ce89da8451c3f7f852f817c7fd7404113
7
+ data.tar.gz: 2aae6ce33af5d61b60ab9f904ab85b99fc46692fd5b95e395ccd8dd6db447def49ca5e7f91d18b26d35735be23af77a4737a3b23b90eb5374e6f45c9597a4102
data/app/assets/javascripts/spree/frontend/checkout/address.js.coffee CHANGED
@@ -1,5 +1,8 @@
1
1
  $ ->
2
2
  if $('#checkout_form_address').is('*')
3
+ # Hidden by default to support browsers with javascript disabled
4
+ $('.js-address-fields').show()
5
+
3
6
  $('#checkout_form_address').validate()
4
7
 
5
8
  getCountryId = (region) ->
data/app/views/spree/address/_form.html.erb CHANGED
@@ -38,24 +38,24 @@
38
38
  <% have_states = !address.country.states.empty? %>
39
39
  <%= form.label :state, Spree.t(:state) %><span class='required' id=<%="#{address_id}state-required"%>>*</span><br/>
40
40
 
41
- <% state_elements = [
42
- form.collection_select(:state_id, address.country.states,
43
- :id, :name,
44
- {:include_blank => true},
45
- {:class => have_states ? 'required' : 'hidden',
46
- :disabled => !have_states}) +
47
- form.text_field(:state_name,
48
- :class => !have_states ? 'required' : 'hidden',
49
- :disabled => have_states)
50
- ].join.gsub('"', "'").gsub("\n", "")
51
- %>
52
- <%= javascript_tag do -%>
53
- $('#<%="#{address_id}state" %>').append("<%== state_elements %>");
54
- <% end %>
55
- </p>
41
+ <span class="js-address-fields" style="display: none;">
42
+ <%= form.collection_select(
43
+ :state_id, address.country.states, :id, :name,
44
+ {include_blank: true},
45
+ {
46
+ class: have_states ? 'required' : 'hidden',
47
+ disabled: !have_states
48
+ }) %>
49
+ <%= form.text_field(
50
+ :state_name,
51
+ class: !have_states ? 'required' : 'hidden',
52
+ disabled: have_states) %>
53
+ </span>
54
+
56
55
  <noscript>
57
56
  <%= form.text_field :state_name, :class => 'required' %>
58
57
  </noscript>
58
+ </p>
59
59
  <% end %>
60
60
 
61
61
  <p class="field" id=<%="#{address_id}zipcode" %>>
data/spec/features/checkout_spec.rb CHANGED
@@ -457,6 +457,43 @@ describe "Checkout", type: :feature, inaccessible: true do
457
457
  end
458
458
  end
459
459
 
460
+ context "with attempted XSS", js: true do
461
+ shared_examples "safe from XSS" do
462
+ # We need a country with states required but no states so that we have
463
+ # access to the state_name input
464
+ let!(:canada) { create(:country, name: 'Canada', iso: "CA", states_required: true) }
465
+ before do
466
+ canada.states.destroy_all
467
+ zone.members.create!(zoneable: canada)
468
+ end
469
+
470
+ it "displays the entered state name without evaluating" do
471
+ add_mug_to_cart
472
+ visit spree.checkout_state_path(:address)
473
+ fill_in_address
474
+
475
+ state_name_css = "order_bill_address_attributes_state_name"
476
+
477
+ select "Canada", from: "order_bill_address_attributes_country_id"
478
+ fill_in state_name_css, with: xss_string
479
+ fill_in "Zip", with: "H0H0H0"
480
+
481
+ click_on 'Save and Continue'
482
+ visit spree.checkout_state_path(:address)
483
+
484
+ expect(page).to have_field(state_name_css, with: xss_string)
485
+ end
486
+ end
487
+
488
+ let(:xss_string) { %(<script>throw("XSS")</script>) }
489
+ include_examples "safe from XSS"
490
+
491
+ context "escaped XSS string" do
492
+ let(:xss_string) { '\x27\x3e\x3cscript\x3ethrow(\x27XSS\x27)\x3c/script\x3e' }
493
+ include_examples "safe from XSS"
494
+ end
495
+ end
496
+
460
497
  def fill_in_address
461
498
  address = "order_bill_address_attributes"
462
499
  fill_in "#{address}_firstname", with: "Ryan"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: solidus_frontend
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Solidus Team
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2016-01-26 00:00:00.000000000 Z
11
+ date: 2016-02-23 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: solidus_api
@@ -16,28 +16,28 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 1.2.0
19
+ version: 1.2.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 1.2.0
26
+ version: 1.2.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: solidus_core
29
29
  requirement: !ruby/object:Gem::Requirement
30
30
  requirements:
31
31
  - - '='
32
32
  - !ruby/object:Gem::Version
33
- version: 1.2.0
33
+ version: 1.2.1
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - '='
39
39
  - !ruby/object:Gem::Version
40
- version: 1.2.0
40
+ version: 1.2.1
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: canonical-rails
43
43
  requirement: !ruby/object:Gem::Requirement