Always escape error messages
Before, if your error message contained HTML tags, they were marked as safe. Some error messages may contain user input so this would lead a XSS vulnerability. Error messages are now always escaped. If users need to mark them as safe they will need to use the explicit `:error` option: f.input :name, error: raw('My <b>error</b>')
This commit is contained in:
parent
106e775150
commit
7d0ba39309
|
@ -18,13 +18,11 @@ module SimpleForm
|
|||
def error_text
|
||||
text = has_custom_error? ? options[:error] : errors.send(error_method)
|
||||
|
||||
"#{html_escape(options[:error_prefix])} #{text}".lstrip.html_safe
|
||||
"#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
|
||||
end
|
||||
|
||||
def full_error_text
|
||||
text = has_custom_error? ? options[:error] : full_errors.send(error_method)
|
||||
|
||||
text.html_safe
|
||||
has_custom_error? ? options[:error] : full_errors.send(error_method)
|
||||
end
|
||||
|
||||
def error_method
|
||||
|
|
|
@ -85,6 +85,16 @@ class ErrorTest < ActionView::TestCase
|
|||
assert_no_select 'span.error b'
|
||||
end
|
||||
|
||||
test 'error escapes error text' do
|
||||
@user.errors.add(:action, 'must not contain <b>markup</b>')
|
||||
|
||||
with_error_for @user, :action
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_no_select 'span.error b', 'markup'
|
||||
end
|
||||
|
||||
|
||||
test 'error generates an error message with raw HTML tags' do
|
||||
with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
|
||||
assert_select 'span.error', "Name can't be blank"
|
||||
|
@ -115,6 +125,15 @@ class ErrorTest < ActionView::TestCase
|
|||
assert_equal({ id: 'name_error' }, options)
|
||||
end
|
||||
|
||||
test 'full error escapes error text' do
|
||||
@user.errors.add(:action, 'must not contain <b>markup</b>')
|
||||
|
||||
with_full_error_for @user, :action
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_no_select 'span.error b', 'markup'
|
||||
end
|
||||
|
||||
# CUSTOM WRAPPERS
|
||||
|
||||
test 'error with custom wrappers works' do
|
||||
|
@ -185,6 +204,38 @@ class ErrorTest < ActionView::TestCase
|
|||
end
|
||||
end
|
||||
|
||||
test 'input with custom error escapes the error text' do
|
||||
with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_no_select 'span.error b', 'markup'
|
||||
end
|
||||
|
||||
test 'input with custom error does not escape the error text if it is safe' do
|
||||
with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_select 'span.error b', 'markup'
|
||||
end
|
||||
|
||||
test 'input with custom error escapes the error text using full_error component' do
|
||||
swap_wrapper :default, self.custom_wrapper_with_full_error do
|
||||
with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_no_select 'span.error b', 'markup'
|
||||
end
|
||||
end
|
||||
|
||||
test 'input with custom error does not escape the error text if it is safe using full_error component' do
|
||||
swap_wrapper :default, self.custom_wrapper_with_full_error do
|
||||
with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
|
||||
|
||||
assert_select 'span.error'
|
||||
assert_select 'span.error b', 'markup'
|
||||
end
|
||||
end
|
||||
|
||||
test 'input with custom error when using full_error component does not generate the error if there is no error on the attribute' do
|
||||
swap_wrapper :default, self.custom_wrapper_with_full_error do
|
||||
with_form_for @user, :active, error: "Super User Active! can't be blank"
|
||||
|
|
Loading…
Reference in New Issue