Make sure label text is escaped if it is not safe
Signed-off-by: Rafael Mendonça França <rafaelmfranca@gmail.com>
This commit is contained in:
parent
028e762f00
commit
c0cb09215f
|
@ -2,6 +2,7 @@ module SimpleForm
|
|||
module Components
|
||||
module Labels
|
||||
extend ActiveSupport::Concern
|
||||
include ERB::Util
|
||||
|
||||
module ClassMethods #:nodoc:
|
||||
def translate_required_html
|
||||
|
@ -30,7 +31,7 @@ module SimpleForm
|
|||
end
|
||||
|
||||
def label_text
|
||||
SimpleForm.label_text.call(raw_label_text, required_label_text).strip.html_safe
|
||||
SimpleForm.label_text.call(html_escape(raw_label_text), required_label_text).strip.html_safe
|
||||
end
|
||||
|
||||
def label_target
|
||||
|
|
|
@ -29,6 +29,16 @@ class LabelTest < ActionView::TestCase
|
|||
assert_select 'label.string.required[for=validating_user_name]', /Name/
|
||||
end
|
||||
|
||||
test 'builder should escape label text' do
|
||||
with_label_for @user, :name, label: '<script>alert(1337)</script>', required: false
|
||||
assert_select 'label.string', "<script>alert(1337)</script>"
|
||||
end
|
||||
|
||||
test 'builder should not escape label text if it is safe' do
|
||||
with_label_for @user, :name, label: '<script>alert(1337)</script>'.html_safe, required: false
|
||||
assert_select 'label.string script', "alert(1337)"
|
||||
end
|
||||
|
||||
test 'builder should allow passing options to label tag' do
|
||||
with_label_for @user, :name, label: 'My label', id: 'name_label'
|
||||
assert_select 'label.string#name_label', /My label/
|
||||
|
|
Loading…
Reference in New Issue