Merge branch 'sec-fix-master'

2014-11-25 19:25:59 -02:00 · 2014-11-25 19:25:59 -02:00 · abcbd0bef7
parent 106e775150 803389b593
commit abcbd0bef7
8 changed files with 72 additions and 29 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,15 +1,7 @@
-## master (unreleased)
+## 3.1.0

 ### enhancements
  * Update foundation generator to version 5. [@jorge-d](https://github.com/jorge-d)
-
-### bug fix
-  * Fix `full_error` when the attribute is an association. [@mvdamme](https://github.com/jorge-d)
-  * Fix suppport to `:namespace` and `:index` options for nested check boxes and radio buttons when the attribute is an association.
-
-## 3.1.0.rc2
-
-### enhancements
  * Add mapping to `uuid` columns.
  * Add custom namespaces for custom inputs feature. [@vala](https://github.com/vala)
  * Add `:unless_blank` option to the wrapper API. [@IanVaughan](https://github.com/IanVaughan)
@ -39,6 +31,8 @@
  * The default form class can now be overridden with `html: { :class }`. [@rmm5t](https://github.com/rmm5t)

 ### bug fix
+  * Fix `full_error` when the attribute is an association. [@mvdamme](https://github.com/jorge-d)
+  * Fix suppport to `:namespace` and `:index` options for nested check boxes and radio buttons when the attribute is an association.
  * Collection input that uses automatic collection translation properly sets checked values.
  Closes [#971](https://github.com/plataformatec/simple_form/issues/971) [@nashby](https://github.com/nashby)
  * Collection input generates `required` attribute if it has `prompt` option. [@nashby](https://github.com/nashby)
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -43,7 +43,7 @@ GIT
 PATH
  remote: .
  specs:
-    simple_form (3.1.0.rc2)
+    simple_form (3.1.0)
      actionpack (~> 4.0)
      activemodel (~> 4.0)

--- a/lib/simple_form/components/errors.rb
+++ b/lib/simple_form/components/errors.rb
@ -18,13 +18,11 @@ module SimpleForm
      def error_text
        text = has_custom_error? ? options[:error] : errors.send(error_method)

-        "#{html_escape(options[:error_prefix])} #{text}".lstrip.html_safe
+        "#{html_escape(options[:error_prefix])} #{html_escape(text)}".lstrip.html_safe
      end

      def full_error_text
-        text = has_custom_error? ? options[:error] : full_errors.send(error_method)
-
-        text.html_safe
+        has_custom_error? ? options[:error] : full_errors.send(error_method)
      end

      def error_method
--- a/lib/simple_form/version.rb
+++ b/lib/simple_form/version.rb
@ -1,3 +1,3 @@
 module SimpleForm
-  VERSION = "3.1.0.rc2".freeze
+  VERSION = "3.1.0".freeze
 end
--- a/test/form_builder/error_test.rb
+++ b/test/form_builder/error_test.rb
@ -32,7 +32,7 @@ class ErrorTest < ActionView::TestCase

  test 'error generates messages for attribute with single error' do
    with_error_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "cannot be blank"
  end

  test 'error generates messages for attribute with one error when using first' do
@ -85,9 +85,19 @@ class ErrorTest < ActionView::TestCase
    assert_no_select 'span.error b'
  end

+  test 'error escapes error text' do
+    @user.errors.add(:action, 'must not contain <b>markup</b>')
+
+    with_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+
  test 'error generates an error message with raw HTML tags' do
    with_error_for @user, :name, error_prefix: '<b>Name</b>'.html_safe
-    assert_select 'span.error', "Name can't be blank"
+    assert_select 'span.error', "Name cannot be blank"
    assert_select 'span.error b', "Name"
  end

@ -95,7 +105,7 @@ class ErrorTest < ActionView::TestCase

  test 'full error generates a full error tag for the attribute' do
    with_full_error_for @user, :name
-    assert_select 'span.error', "Super User Name! can't be blank"
+    assert_select 'span.error', "Super User Name! cannot be blank"
  end

  test 'full error generates a full error tag with a clean HTML' do
@ -105,22 +115,31 @@ class ErrorTest < ActionView::TestCase

  test 'full error allows passing options to full error tag' do
    with_full_error_for @user, :name, id: 'name_error', error_prefix: "Your name"
-    assert_select 'span.error#name_error', "Your name can't be blank"
+    assert_select 'span.error#name_error', "Your name cannot be blank"
  end

  test 'full error does not modify the options hash' do
    options = { id: 'name_error' }
    with_full_error_for @user, :name, options
-    assert_select 'span.error#name_error', "Super User Name! can't be blank"
+    assert_select 'span.error#name_error', "Super User Name! cannot be blank"
    assert_equal({ id: 'name_error' }, options)
  end

+  test 'full error escapes error text' do
+    @user.errors.add(:action, 'must not contain <b>markup</b>')
+
+    with_full_error_for @user, :action
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
  # CUSTOM WRAPPERS

  test 'error with custom wrappers works' do
    swap_wrapper do
      with_error_for @user, :name
-      assert_select 'span.omg_error', "can't be blank"
+      assert_select 'span.omg_error', "cannot be blank"
    end
  end

@ -158,7 +177,7 @@ class ErrorTest < ActionView::TestCase
  # CUSTOM ERRORS

  test 'input with custom error works' do
-    error_text = "Super User Name! can't be blank"
+    error_text = "Super User Name! cannot be blank"
    with_form_for @user, :name, error: error_text

    assert_select 'span.error', error_text
@ -167,24 +186,56 @@ class ErrorTest < ActionView::TestCase
  test 'input with error option as true does not use custom error' do
    with_form_for @user, :name, error: true

-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "cannot be blank"
  end

  test 'input with custom error does not generate the error if there is no error on the attribute' do
-    with_form_for @user, :active, error: "Super User Active! can't be blank"
+    with_form_for @user, :active, error: "Super User Active! cannot be blank"

    assert_no_select 'span.error'
  end

  test 'input with custom error works when using full_error component' do
    swap_wrapper :default, self.custom_wrapper_with_full_error do
-      error_text = "Super User Name! can't be blank"
+      error_text = "Super User Name! cannot be blank"
      with_form_for @user, :name, error: error_text

      assert_select 'span.error', error_text
    end
  end

+  test 'input with custom error escapes the error text' do
+    with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
+
+    assert_select 'span.error'
+    assert_no_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error does not escape the error text if it is safe' do
+    with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
+
+    assert_select 'span.error'
+    assert_select 'span.error b', 'markup'
+  end
+
+  test 'input with custom error escapes the error text using full_error component' do
+    swap_wrapper :default, self.custom_wrapper_with_full_error do
+      with_form_for @user, :name, error: 'error must not contain <b>markup</b>'
+
+      assert_select 'span.error'
+      assert_no_select 'span.error b', 'markup'
+    end
+  end
+
+  test 'input with custom error does not escape the error text if it is safe using full_error component' do
+    swap_wrapper :default, self.custom_wrapper_with_full_error do
+      with_form_for @user, :name, error: 'error must contain <b>markup</b>'.html_safe
+
+      assert_select 'span.error'
+      assert_select 'span.error b', 'markup'
+    end
+  end
+
  test 'input with custom error when using full_error component does not generate the error if there is no error on the attribute' do
    swap_wrapper :default, self.custom_wrapper_with_full_error do
      with_form_for @user, :active, error: "Super User Active! can't be blank"
--- a/test/form_builder/general_test.rb
+++ b/test/form_builder/general_test.rb
@ -327,7 +327,7 @@ class FormBuilderTest < ActionView::TestCase

  test 'builder generates errors for attribute with errors' do
    with_form_for @user, :name
-    assert_select 'span.error', "can't be blank"
+    assert_select 'span.error', "cannot be blank"
  end

  test 'builder is able to disable showing errors for an input' do
@ -337,7 +337,7 @@ class FormBuilderTest < ActionView::TestCase

  test 'builder passes options to errors' do
    with_form_for @user, :name, error_html: { id: "cool" }
-    assert_select 'span.error#cool', "can't be blank"
+    assert_select 'span.error#cool', "cannot be blank"
  end

  test 'placeholder does not be generated when set to false' do
--- a/test/form_builder/wrapper_test.rb
+++ b/test/form_builder/wrapper_test.rb
@ -139,7 +139,7 @@ class WrapperTest < ActionView::TestCase
  test 'custom wrappers can have full error message on attributes' do
    swap_wrapper :default, self.custom_wrapper_with_full_error do
      with_form_for @user, :name
-      assert_select 'span.error', "Name can't be blank"
+      assert_select 'span.error', "Name cannot be blank"
    end
  end

--- a/test/support/models.rb
+++ b/test/support/models.rb
@ -175,7 +175,7 @@ class User
  def errors
    @errors ||= begin
      errors = ActiveModel::Errors.new(self)
-      errors.add(:name, "can't be blank")
+      errors.add(:name, "cannot be blank")
      errors.add(:description, 'must be longer than 15 characters')
      errors.add(:age, 'is not a number')
      errors.add(:age, 'must be greater than 18')