unobtrusive_flash 2.0.0 → 2.1.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MWU1ZTA0MjUzNzMyYmY4MTkzZGUzMzE3MmEzNmE1NTc2YWEwYTA4NQ==
+    YTFiNGZlYTIwNDBjMDEwZTVmMGM3Mzc4YTExZDEyNTJlZmNlYjNlNw==
   data.tar.gz: !binary |-
-    OTVhNmFkNWI2YTFjYjk3MjY2YjI5YjI2Yjg5MDY1YjQzNzc3YTM2NQ==
-!binary "U0hBNTEy":
+    NGE5MWVkZWVhODFlZGNmYWM1YzRhZWZkNDczYWQ3YWFlY2FkYmEzYw==
+SHA512:
   metadata.gz: !binary |-
-    MDkwODU2YmEzNTJjODJmYTg2MDhhZDllMzUwYmRiYjdiNjNlNTY0MDcyMjdi
-    NDkzYTk4MjVmYjk5N2RhMjEyN2NhYTBkZjg2ODU2NDZhYmMzNTJkNDNhNjkz
-    NzI3NGIxODQwMmI1NTU3MjUzYjRkNGQzOGJkODA3MTNmMTcwY2M=
+    YzExMDQ1YjM2ODA3YjFmOGZlZWM5MWY3MjViYmYzYmRmMjc3Y2NhYjc2NGUw
+    ZTJlOWJlZjdjNzllMTdmOTYxMWI5OWI5YWY5ZGQ3MDRkMmVkNmNkNDg1NTdh
+    NTUwNmM1YTRjNWM5Y2FjNzJiOTg5YjQ2YmYwNDc4Mzk0OGJmNjE=
   data.tar.gz: !binary |-
-    YjIxMGFkMjkzZjMyYjg0ZWQ5NWQ1OWU1YmJkZTk3ZDk3MTVmZTgxZjY1NTI5
-    N2M5ZGVlNTlhYjA5ODY1OGIxM2ZhOTZjYjYwNGJiZjQxOTgwYmE0NWVmNTEx
-    OWUyZjE0MGMwMjE5Yjk2NzM1MDNkMjk3NDcwYmM0Mjg3YzZiMjc=
+    MzU3YTc0NDI5OGI2NjY2MjEzZjI3NmNmODlmYmE4OWRmNTRjNmE5MTY5OTk4
+    Nzc1NDI3OWUwNzk1YjMzNWY0Njg5YmU3OWYyN2VlNDNkM2FlMzhkMWZkYjEz
+    NjY2NWZkOTZlMTFjNzI2NTI1NTRhYWY4MTA3NTQzMmU0OWY0NDk=

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 2013-12-21 2.1.0
+
+* Changed message escaping logic to use the Rails html_safe conventions (Possibly breaking change)
+
 ## 2013-10-09 2.0.0
 
 * Grand refactoring

data/README.markdown

@@ -30,12 +30,15 @@ Tested in:
 
 ## Usage
 
-1. Add the gem to your Rails app.
+1. Add the `unobtrusive_flash` gem to your Gemfile.
+
+        gem 'unobtrusive_flash', '~>2'
+
 2. Add the following to the controllers that generate flash messages (or better, to the `ApplicationController`):
 
         after_filter :prepare_unobtrusive_flash
 
-    Important! **Flash messages are NOT HTML escaped**, so you can use any markup in them. Take additional care to protect yourself from injection attacks if necessary.
+    Flash messages are HTML escaped in the same manner as regular Rails view code: if a message is not `html_safe`, it is escaped, otherwise not. This lets you use helpers such as `link_to` in your messages.
 
 3. Include `require unobtrusive_flash` in your `application.js`.
 

data/lib/unobtrusive_flash/controller_mixin.rb

@@ -1,3 +1,5 @@
+require 'active_support/core_ext/string/output_safety'
+
 module UnobtrusiveFlash
   module ControllerMixin
     protected
@@ -10,10 +12,19 @@ module UnobtrusiveFlash
           cookie_flash=[] unless cookie_flash.is_a? Array
         end
 
-        cookie_flash += flash.to_a
+        cookie_flash += UnobtrusiveFlash::ControllerMixin.sanitize_flash(flash)
         cookies[:flash] = {:value => cookie_flash.to_json, :domain => :all}
         flash.discard
       end
     end
+
+    class << self
+      def sanitize_flash(flash)
+        flash.to_a.map do |key, value|
+          html_safe_value = value.html_safe? ? value : ERB::Util.html_escape(value)
+          [key, html_safe_value]
+        end
+      end
+    end
   end
 end

data/lib/unobtrusive_flash/version.rb

@@ -1,3 +1,3 @@
 module UnobtrusiveFlash
-  VERSION = "2.0.0"
+  VERSION = "2.1.0"
 end

data/spec/sanitize_flash_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+describe UnobtrusiveFlash::ControllerMixin do
+  describe '.sanitize_flash' do
+    it 'should escape messages that are not html safe' do
+      described_class.sanitize_flash({:foo => '<bar>'}).should == [[:foo, '&lt;bar&gt;']]
+    end
+
+    it 'should not escape messages that are html safe' do
+      described_class.sanitize_flash({:foo => '<bar>'.html_safe}).should == [[:foo, '<bar>']]
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,3 @@
+require 'bundler'
+require 'rspec'
+require 'unobtrusive_flash'

data/unobtrusive_flash.gemspec

@@ -25,4 +25,5 @@ EOT
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: unobtrusive_flash
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Leonid Shevtsov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-09 00:00:00.000000000 Z
+date: 2013-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -52,6 +52,20 @@ dependencies:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: ! 'unobtrusive_flash takes your flash messages for the backend and automagically
   passes them to the frontend via HTTP cookies.
 
@@ -72,15 +86,17 @@ files:
 - Gemfile
 - README.markdown
 - Rakefile
+- lib/assets/javascripts/unobtrusive_flash.js
+- lib/assets/javascripts/unobtrusive_flash_bootstrap.js
+- lib/assets/javascripts/unobtrusive_flash_ui.js
+- lib/assets/stylesheets/unobtrusive_flash_ui.css
 - lib/unobtrusive_flash.rb
 - lib/unobtrusive_flash/controller_mixin.rb
 - lib/unobtrusive_flash/engine.rb
 - lib/unobtrusive_flash/version.rb
+- spec/sanitize_flash_spec.rb
+- spec/spec_helper.rb
 - unobtrusive_flash.gemspec
-- vendor/assets/javascripts/unobtrusive_flash.js
-- vendor/assets/javascripts/unobtrusive_flash_bootstrap.js
-- vendor/assets/javascripts/unobtrusive_flash_ui.js
-- vendor/assets/stylesheets/unobtrusive_flash_ui.css
 homepage: https://github.com/leonid-shevtsov/unobtrusive_flash
 licenses: []
 metadata: {}
@@ -100,8 +116,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.5
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Unobtrusive flash messages for Rails
-test_files: []
+test_files:
+- spec/sanitize_flash_spec.rb
+- spec/spec_helper.rb