spree_storefront 5.4.1 → 5.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76c18fe5cbf2c1619cfda1f9ae3209b1bc6e83eef396cadd669d685cb5e11aff
-  data.tar.gz: fa94ea40e743864d935d550e178a710fa6aad34b264efdfe9faaa3bb85e7cbb1
+  metadata.gz: 86f9eaec23e1403d7ca88d9ad9888265d90b70749aa0fbc38b5cfb80208111b7
+  data.tar.gz: 141654121255c1801335bcc1bc6854aeca3824bae3523f888599f1d94ea58659
 SHA512:
-  metadata.gz: 4916d85ad37a17a36c442c0bb953d5bf4cc80055add3a74fa9c294c8f9b2f057cfc5b41357de110863c074bdbb83723485170486299c06283370fb91228b2247
-  data.tar.gz: e9d6530f6e12c1646558028f2bdec15cca750bec1dcc4385840aa78af00cffdd97cf6c43476c574fef4192a8625a1322bae757be4ec3b547cdea07ed2fccd585
+  metadata.gz: 47f847c1933bdfe5e7a41692146f76c913df33f7cec7fa5f8eb3c4e73eb5d9f07f99c4703fdd57b9d2e0ae563ddde3c91979ffc26a1ac25fedd853d14403cd9b
+  data.tar.gz: 1498db74ea682506648e9a22bf4324f3658a0eabb34614a64470f618ed895e342f7e65daa9773b89f6ae559b608a92332ee4823a69061729b9a76b9ec7364006

data/app/helpers/spree/json_ld_helper.rb

@@ -0,0 +1,12 @@
+module Spree
+  module JsonLdHelper
+    # spree_api globally sets ActiveSupport::JSON::Encoding.escape_html_entities_in_json = false,
+    # so a literal `</script>` in any field would break out of the surrounding script tag.
+    # ERB::Util.json_escape post-processes the encoded JSON to escape `<`, `>`, `&` regardless
+    # of that global flag.
+    def json_ld_script(data, **html_attrs)
+      json = ERB::Util.json_escape(data.to_json)
+      content_tag(:script, json.html_safe, type: 'application/ld+json', **html_attrs)
+    end
+  end
+end

data/app/helpers/spree/products_helper.rb

@@ -225,6 +225,46 @@ module Spree
       json_ld
     end
 
+    def product_json_ld_data(product, selected_variant: nil)
+      first_or_default_variant = product.first_or_default_variant(current_currency)
+      data = {
+        '@context' => 'https://schema.org/',
+        '@type' => 'Product',
+        'name' => product.name,
+        'url' => spree.product_url(product, host: current_store.url_or_custom_domain)
+      }
+      data['image'] = [spree_image_url(product.primary_media, variant: :large)] if product.has_images?
+      data['description'] = strip_tags(product.description) if product.description.present?
+
+      sku_variant = product.has_variants? ? selected_variant : first_or_default_variant
+      data['sku'] = sku_variant.sku if sku_variant&.sku.present?
+
+      if product.brand_taxon
+        data['brand'] = { '@type' => 'Brand', 'name' => product.brand_taxon.name }
+      end
+
+      data['offers'] = if product.has_variants?
+                         product.variants.map { |variant| product_json_ld_variant_offer(product, variant) }
+                       else
+                         [product_json_ld_variant_offer(product, first_or_default_variant)]
+                       end
+      data
+    end
+
+    def product_json_ld_variant_offer(product, variant)
+      Rails.cache.fetch(['json-ld-variant-hash', *spree_base_cache_key, variant.cache_key_with_version]) do
+        offer = {
+          '@type' => 'Offer',
+          'availability' => "http://schema.org/#{variant.available? ? 'InStock' : 'OutOfStock'}",
+          'price' => variant.amount_in(current_currency),
+          'priceCurrency' => current_currency,
+          'url' => spree.product_url(product, variant_id: variant.id, host: current_store.url_or_custom_domain)
+        }
+        offer['sku'] = variant.sku if variant.sku.present?
+        offer
+      end
+    end
+
     def option_type_colors_preview_styles(option_type)
       return unless option_type.color_swatch?
 

data/app/presenters/spree/colors_preview_styles_presenter.rb

@@ -1,5 +1,7 @@
 module Spree
   class ColorsPreviewStylesPresenter
+    UNSAFE_CSS_CHARS = /[<>"'\\;{}\r\n]/
+
     def initialize(colors)
       @colors = colors.compact_blank.map do |color|
         case color
@@ -17,11 +19,11 @@ module Spree
     end
 
     def to_s
-      @to_s ||= if colors.any?
+      @to_s ||= if renderable_colors.any?
                   css = ['<style>']
 
-                  colors.each do |color|
-                    css_color = css_colors_hash[color[:filter_name]] || color[:filter_name].gsub(' ', '')
+                  renderable_colors.each do |color|
+                    css_color = css_colors_hash[color[:filter_name]]
                     color_name = color[:name]
                     css << <<~CSS
                        @supports(background: #{css_color}) {
@@ -48,6 +50,17 @@ module Spree
 
     attr_reader :colors
 
+    # We only emit CSS rules for colors we recognise via Spree::ColorNames AND whose
+    # name contains no characters that could break out of the CSS string/selector
+    # context (admins control these names; #to_s output is rendered with raw()).
+    def renderable_colors
+      @renderable_colors ||= colors.reject do |color|
+        css_colors_hash[color[:filter_name]].nil? ||
+          color[:name].match?(UNSAFE_CSS_CHARS) ||
+          color[:filter_name].match?(UNSAFE_CSS_CHARS)
+      end
+    end
+
     def css_colors_hash
       @css_colors_hash ||= begin
         colors_hash = {}
@@ -61,7 +74,7 @@ module Spree
             colors_hash[color_name] = generate_css_color(hex_colors)
           elsif (subcolors = color_name.split.compact) && subcolors.length > 1
             subcolors = subcolors.map(&method(:find_color)).compact
-            colors_hash[color_name] = generate_css_color(subcolors)
+            colors_hash[color_name] = generate_css_color(subcolors) if subcolors.any?
           end
         end
 

data/app/views/themes/default/spree/page_sections/_newsletter.html.erb

@@ -28,7 +28,7 @@
                   <%= hidden_field_tag :section_id, section.id %>
                   <%= f.email_field :email, placeholder: block.preferred_placeholder, required: true, class: 'focus:border-primary focus:ring-primary pr-36 text-sm bg-accent rounded-input border-accent py-2 px-4 w-full relative z-30 !leading-[46px]' %>
                   <div class="absolute right-2 top-1/2 transform -translate-y-1/2 z-40">
-                    <%= f.submit block.preferred_button_text.html_safe, class: "#{block.preferred_button_style == 'secondary' ? 'btn-secondary' : 'btn-primary'} content-center" %>
+                    <%= f.submit block.preferred_button_text, class: "#{block.preferred_button_style == 'secondary' ? 'btn-secondary' : 'btn-primary'} content-center" %>
                   </div>
                 </div>
               </div>

data/app/views/themes/default/spree/posts/_json_ld.html.erb

@@ -1,20 +1,16 @@
-<script type="application/ld+json" data-test-id="post-json-ld">
-  {
-    "@context": "https://schema.org",
-    "@type": "BlogPosting",
-    "headline": "<%= post.title %>",
-    "image": <%= post.image.attached? ? [spree_image_url(post.image, width: 1200, height: 675)].to_json.html_safe : [].to_json.html_safe %>,
-    "datePublished": "<%= post.published_at&.iso8601 %>",
-    "dateModified": "<%= post.updated_at&.iso8601 %>",
-    "author": [
-      {
-        "@type": "Person",
-        "name": "<%= post.author_name %>"
-      }
-    ]
-  }
-</script>
+<%= json_ld_script({
+  '@context' => 'https://schema.org',
+  '@type' => 'BlogPosting',
+  'headline' => post.title,
+  'image' => post.image.attached? ? [spree_image_url(post.image, width: 1200, height: 675)] : [],
+  'datePublished' => post.published_at&.iso8601,
+  'dateModified' => post.updated_at&.iso8601,
+  'author' => [
+    {
+      '@type' => 'Person',
+      'name' => post.author_name
+    }
+  ]
+}, data: { test_id: 'post-json-ld' }) %>
 
-<script type="application/ld+json" data-test-id="post-breadcrumbs-json-ld">
-  <%= posts_json_ld_breadcrumbs(post).to_json.html_safe %>
-</script>
+<%= json_ld_script(posts_json_ld_breadcrumbs(post), data: { test_id: 'post-breadcrumbs-json-ld' }) %>

data/app/views/themes/default/spree/products/_description.html.erb

@@ -2,7 +2,7 @@
   <% description_text = strip_tags(product.storefront_description) %>
   <div data-controller="read-more" class="flex flex-col gap-4" data-read-more-more-text-value="<%= Spree.t(:read_more) %>" data-read-more-less-text-value="Read less">
     <div class="prose product-description text-sm <%= 'product-description-truncated' if description_text.size > 250 %>" data-read-more-target="content">
-      <%= raw(product.storefront_description) %>
+      <%= sanitize(product.storefront_description) %>
     </div>
     <% if description_text.size > 250 %>
       <%= button_tag Spree.t(:read_more), type: 'button', data: { action: "read-more#toggle" }, class: "font-bold underline text-sm" %>

data/app/views/themes/default/spree/products/_details.html.erb

@@ -3,7 +3,7 @@
     <% description_text = strip_tags(product.storefront_description) %>
     <div data-controller="read-more" class="py-4 flex flex-col gap-4" data-read-more-more-text-value="<%= Spree.t(:read_more) %>" data-read-more-less-text-value="Read less">
       <div class="prose product-description text-sm <%= 'product-description-truncated' if description_text.size > 250 %>" data-read-more-target="content">
-        <%= raw(product.storefront_description) %>
+        <%= sanitize(product.storefront_description) %>
       </div>
       <% if description_text.size > 250 %>
         <%= button_tag Spree.t(:read_more), type: 'button', data: { action: "read-more#toggle" }, class: "font-bold underline text-sm" %>

data/app/views/themes/default/spree/products/_featured_image.html.erb

@@ -14,7 +14,7 @@
          "w-full group-hover:opacity-0 transition-opacity duration-500 z-10 relative h-full bg-background product-card !max-h-full #{object_class}" :
          "w-full h-full !max-h-full #{object_class}" %>
     <%= spree_image_tag(object.primary_media, width: width, height: height, variant: :medium, loading: :lazy, alt: "#{object.name} #{Spree.t('storefront.products.primary_image', default: 'primary image')}", class: image_hover_class) %>
-    <% if object.has_images? && object.image_count > 1 && object.secondary_image.present? && object.secondary_image.attached? %>
+    <% if object.has_images? && object.secondary_image.present? && object.secondary_image.attached? %>
       <% secondary_image_class = "w-full absolute top-0 left-0 opacity-100 h-full !max-h-full #{object_class}" %>
       <%= spree_image_tag(object.secondary_image, width: width, height: height, variant: :medium, loading: :lazy, alt: "#{object.name} #{Spree.t('storefront.products.secondary_image', default: 'secondary image')}", class: secondary_image_class) %>
     <% end %>

data/app/views/themes/default/spree/products/_json_ld.html.erb

@@ -1,40 +1,2 @@
-<script type="application/ld+json" data-test-id="product-json-ld">
-  <% first_or_default_variant = product.first_or_default_variant(current_currency) %>
-  {
-    "@context": "https://schema.org/",
-    "@type": "Product",
-    "name": <%= product.name.to_json.html_safe %>,
-    "url": <%= spree.product_url(product, host: current_store.url_or_custom_domain).to_json.html_safe %>,
-  <% if product.has_images? %>
-    "image": [
-      <%= spree_image_url(product.primary_media, variant: :large).to_json.html_safe %>
-    ],
-  <% end %>
-  <% if product.description.present? %>
-    "description": <%= strip_tags(product.description).to_json.html_safe %>,
-  <% end %>
-  <% if !product.has_variants? %>
-    <% if first_or_default_variant.sku.present? %>"sku": <%= first_or_default_variant.sku.to_json.html_safe %>,<% end %>
-  <% elsif selected_variant %>
-    <% if selected_variant.sku.present? %>"sku": <%= selected_variant.sku.to_json.html_safe %>,<% end %>
-  <% end %>
-  <% if product.brand_taxon %>
-    "brand": {
-      "@type": "Brand",
-      "name": <%= product.brand_taxon.name.to_json.html_safe %>
-    },
-  <% end %>
-"offers": [
-  <% if product.has_variants? %>
-  <%= raw(product.variants.map do |variant|
-  render partial: "spree/products/json_ld_variant", locals: { product: product, variant: variant }
-  end.join(",\n")) %>
-  <% else %>
-  <%= render "spree/products/json_ld_variant", product: product, variant: first_or_default_variant %>
-  <% end %>
-  ]
-  }
-</script>
-<script type="application/ld+json">
-  <%= product_json_ld_breadcrumbs(product).to_json.html_safe %>
-</script>
+<%= json_ld_script(product_json_ld_data(product, selected_variant: selected_variant), data: { test_id: 'product-json-ld' }) %>
+<%= json_ld_script(product_json_ld_breadcrumbs(product)) %>

data/app/views/themes/default/spree/products/_json_ld_list.html.erb

@@ -1,9 +1,7 @@
 <% cache [spree_base_cache_key, products,'json-ld-list'], expires_in: 1.day do %>
-  <script type="application/ld+json" data-test-id="product-list-json-ld">
-    {
-      "@context": "https://schema.org",
-      "@type": "ItemList",
-      "itemListElement": <%= product_list_json_ld_elements(products.to_a.pluck(:slug)).to_json.html_safe %>
-    }
-  </script>
-<% end %>
+  <%= json_ld_script({
+    '@context' => 'https://schema.org',
+    '@type' => 'ItemList',
+    'itemListElement' => product_list_json_ld_elements(products.to_a.pluck(:slug))
+  }, data: { test_id: 'product-list-json-ld' }) %>
+<% end %>

data/app/views/themes/default/spree/shared/_json_ld.html.erb

@@ -1,32 +1,29 @@
 <% cache spree_storefront_base_cache_scope.call(current_store) do %>
-  <script type="application/ld+json">
-    {
-      "@context": "https://schema.org",
-      "@type": "Organization",
-      "url": <%= current_store.formatted_url_or_custom_domain.to_json.html_safe %>,
-      "sameAs": <%= current_store.social_links.to_json.html_safe %>,
-    <% if current_store.logo && current_store.logo&.attached? && current_store.logo&.variable? %>
-      "logo": <%= spree_image_url(current_store.logo, width: 250, height: 250).to_json.html_safe %>,
-    <% end %>
-      "name": <%= current_store.name.to_json.html_safe %>,
-      "email": <%= current_store.customer_support_email.to_json.html_safe %>
-    }
-  </script>
+  <% organization = {
+    '@context' => 'https://schema.org',
+    '@type' => 'Organization',
+    'url' => current_store.formatted_url_or_custom_domain,
+    'sameAs' => current_store.social_links,
+    'name' => current_store.name,
+    'email' => current_store.customer_support_email
+  } %>
+  <% if current_store.logo && current_store.logo&.attached? && current_store.logo&.variable? %>
+    <% organization['logo'] = spree_image_url(current_store.logo, width: 250, height: 250) %>
+  <% end %>
+  <%= json_ld_script(organization) %>
 <% end %>
 
 <% if canonical_path.include?('search') %>
   <% potential_action_target = "#{canonical_href(current_store.url_or_custom_domain)}?q={search_term_string}" %>
-  <script type="application/ld+json">
-    {
-      "@context": "https://schema.org",
-      "@type": "WebSite",
-      "name": <%= current_store.name.to_json.html_safe %>,
-      "potentialAction": {
-        "@type": "SearchAction",
-        "target": <%= potential_action_target.to_json.html_safe %>,
-        "query-input": "required name=search_term_string"
-      },
-      "url": <%= current_store.formatted_url_or_custom_domain.to_json.html_safe %>
-    }
-  </script>
+  <%= json_ld_script({
+    '@context' => 'https://schema.org',
+    '@type' => 'WebSite',
+    'name' => current_store.name,
+    'potentialAction' => {
+      '@type' => 'SearchAction',
+      'target' => potential_action_target,
+      'query-input' => 'required name=search_term_string'
+    },
+    'url' => current_store.formatted_url_or_custom_domain
+  }) %>
 <% end %>

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: spree_storefront
 version: !ruby/object:Gem::Version
-  version: 5.4.1
+  version: 5.4.3
 platform: ruby
 authors:
 - Vendo Connect Inc.
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.4.1
+        version: 5.4.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 5.4.1
+        version: 5.4.3
 - !ruby/object:Gem::Dependency
   name: active_link_to
   requirement: !ruby/object:Gem::Requirement
@@ -247,6 +247,7 @@ files:
 - app/helpers/spree/checkout_helper.rb
 - app/helpers/spree/filters_helper.rb
 - app/helpers/spree/fonts_helper.rb
+- app/helpers/spree/json_ld_helper.rb
 - app/helpers/spree/orders_helper.rb
 - app/helpers/spree/page_helper.rb
 - app/helpers/spree/payment_methods_helper.rb
@@ -471,7 +472,6 @@ files:
 - app/views/themes/default/spree/products/_filters.html.erb
 - app/views/themes/default/spree/products/_json_ld.html.erb
 - app/views/themes/default/spree/products/_json_ld_list.html.erb
-- app/views/themes/default/spree/products/_json_ld_variant.html.erb
 - app/views/themes/default/spree/products/_label.html.erb
 - app/views/themes/default/spree/products/_media_gallery.html.erb
 - app/views/themes/default/spree/products/_metafields.html.erb
@@ -592,9 +592,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/spree/spree-rails-storefront/issues
-  changelog_uri: https://github.com/spree/spree-rails-storefront/releases/tag/v5.4.1
+  changelog_uri: https://github.com/spree/spree-rails-storefront/releases/tag/v5.4.3
   documentation_uri: https://docs.spreecommerce.org/
-  source_code_uri: https://github.com/spree/spree-rails-storefront/tree/v5.4.1
+  source_code_uri: https://github.com/spree/spree-rails-storefront/tree/v5.4.3
 rdoc_options: []
 require_paths:
 - lib

data/app/views/themes/default/spree/products/_json_ld_variant.html.erb

@@ -1,12 +0,0 @@
-<% cache ["json-ld-variant", spree_base_cache_scope, variant.cache_key_with_version] do %>
-{
-  "@type": "Offer",
-  <% if variant.sku.present? %>
-    "sku": <%= variant.sku.to_json.html_safe %>,
-  <% end %>
-  "availability": "http://schema.org/<%= variant.available? ? 'InStock' : 'OutOfStock' %>",
-  "price": <%= variant.amount_in(current_currency).to_json.html_safe %>,
-  "priceCurrency": <%= current_currency.to_json.html_safe %>,
-  "url": <%= spree.product_url(product, variant_id: variant.id, host: current_store.url_or_custom_domain).to_json.html_safe %>
-}
-<% end %>