Commit 0834f87c authored by Joenio Costa's avatar Joenio Costa

not escape HTML from newsletter moderation tasks

parent e73ac0c3
Pipeline #3251495 passed with stage
in 158 minutes and 16 seconds
require 'test_helper'
class NewsletterPluginSafeStringsTest < ActionDispatch::IntegrationTest
should 'not escape HTML from newsletter pending task' do
environment = Environment.default
environment.enable_plugin('newsletter')
person = create_user('john', :environment_id => environment.id, :password => 'test', :password_confirmation => 'test').person
person.user.activate
environment.add_admin(person)
blog = fast_create(Blog, :profile_id => person.id)
post = fast_create(TextileArticle, :name => 'First post', :profile_id => person.id, :parent_id => blog.id, :body => 'Test')
newsletter = NewsletterPlugin::Newsletter.create!(:environment => environment, :person => person, :enabled => true)
newsletter.blog_ids = [blog.id]
newsletter.save!
task = NewsletterPlugin::ModerateNewsletter.create!(
:newsletter_id => newsletter.id,
:target => environment,
:post_ids => [post.id.to_s]
)
login 'john', 'test'
get '/myprofile/john/tasks'
assert_tag :tag => 'input',
:attributes => { :type => 'checkbox', :name => "tasks[#{task.id}][task][post_ids][]" },
:sibling => { :tag => 'span' }
end
end
......@@ -9,9 +9,9 @@
<% input_name = "tasks[#{task.id}][task][post_ids][]" %>
<% post_check_box = hidden_field_tag(input_name, '0') +check_box_tag(input_name, post.id, true) %>
<% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1')%>
<% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1') %>
<% newsletter_content.gsub!(/<span([^>]*?) id="#{post.id}"/, post_check_box + '<span\\1'.html_safe) %>
<% newsletter_content.gsub!(/<img([^>]*?) id="#{post.id}"/, post_check_box + '<img\\1'.html_safe) %>
<% end %>
<%= newsletter_content %>
<%= newsletter_content.html_safe %>
</div>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment