diff --git a/app/helpers/issues_helper.rb b/app/helpers/issues_helper.rb index 93bd6c050..d73258939 100644 --- a/app/helpers/issues_helper.rb +++ b/app/helpers/issues_helper.rb @@ -56,9 +56,9 @@ module IssuesHelper unless no_html label = content_tag('strong', label) - old_value = content_tag("i", old_value) if old_value - old_value = content_tag("strike", old_value) if old_value and !value - value = content_tag("i", value) if value + old_value = content_tag("i", h(old_value)) if old_value + old_value = content_tag("strike", h(old_value)) if old_value and !value + value = content_tag("i", h(value)) if value end if value diff --git a/app/models/custom_field.rb b/app/models/custom_field.rb index 924a874a3..2f5f2749f 100644 --- a/app/models/custom_field.rb +++ b/app/models/custom_field.rb @@ -28,6 +28,7 @@ class CustomField < ActiveRecord::Base validates_presence_of :name, :field_format validates_uniqueness_of :name + validates_format_of :name, :with => /^[\w\s\'\-]*$/i validates_inclusion_of :field_format, :in => FIELD_FORMATS.keys validates_presence_of :possible_values, :if => Proc.new { |field| field.field_format == "list" } diff --git a/app/models/enumeration.rb b/app/models/enumeration.rb index b5c8ed6e7..0d6554f82 100644 --- a/app/models/enumeration.rb +++ b/app/models/enumeration.rb @@ -18,8 +18,9 @@ class Enumeration < ActiveRecord::Base before_destroy :check_integrity - validates_presence_of :opt, :name - validates_uniqueness_of :name, :scope => [:opt] + validates_presence_of :opt, :name + validates_uniqueness_of :name, :scope => [:opt] + validates_format_of :name, :with => /^[\w\s\'\-]*$/i OPTIONS = { "IPRI" => :enumeration_issue_priorities, diff --git a/app/models/issue_status.rb b/app/models/issue_status.rb index c8a40d330..b821df258 100644 --- a/app/models/issue_status.rb +++ b/app/models/issue_status.rb @@ -21,6 +21,7 @@ class IssueStatus < ActiveRecord::Base validates_presence_of :name validates_uniqueness_of :name + validates_format_of :name, :with => /^[\w\s\'\-]*$/i validates_length_of :html_color, :is => 6 validates_format_of :html_color, :with => /^[a-f0-9]*$/i diff --git a/app/models/project.rb b/app/models/project.rb index 83197dfde..e8493cb3b 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -31,6 +31,7 @@ class Project < ActiveRecord::Base validates_presence_of :name, :description validates_uniqueness_of :name validates_associated :custom_values, :on => :update + validates_format_of :name, :with => /^[\w\s\'\-]*$/i # returns 5 last created projects def self.latest diff --git a/app/models/role.rb b/app/models/role.rb index 6908095e9..4761b75ad 100644 --- a/app/models/role.rb +++ b/app/models/role.rb @@ -23,6 +23,7 @@ class Role < ActiveRecord::Base validates_presence_of :name validates_uniqueness_of :name + validates_format_of :name, :with => /^[\w\s\'\-]*$/i private def check_integrity diff --git a/app/models/tracker.rb b/app/models/tracker.rb index a4376a351..041525f0f 100644 --- a/app/models/tracker.rb +++ b/app/models/tracker.rb @@ -23,7 +23,8 @@ class Tracker < ActiveRecord::Base validates_presence_of :name validates_uniqueness_of :name - + validates_format_of :name, :with => /^[\w\s\'\-]*$/i + private def check_integrity raise "Can't delete tracker" if Issue.find(:first, :conditions => ["tracker_id=?", self.id]) diff --git a/app/models/user.rb b/app/models/user.rb index a82c98a88..0287006c6 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -32,7 +32,8 @@ class User < ActiveRecord::Base validates_presence_of :login, :firstname, :lastname, :mail validates_uniqueness_of :login, :mail # Login must contain lettres, numbers, underscores only - validates_format_of :login, :with => /^[a-z0-9_]+$/i + validates_format_of :firstname, :lastname, :with => /^[\w\s\'\-]*$/i + validates_format_of :login, :with => /^[a-z0-9_\-@\.]+$/i validates_format_of :mail, :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/i # Password length between 4 and 12 validates_length_of :password, :in => 4..12, :allow_nil => true diff --git a/app/views/admin/projects.rhtml b/app/views/admin/projects.rhtml index 0772c4e8b..bcf7cba43 100644 --- a/app/views/admin/projects.rhtml +++ b/app/views/admin/projects.rhtml @@ -17,7 +17,7 @@ <% for project in @projects %> "> <%= link_to project.name, :controller => 'projects', :action => 'settings', :id => project %> - <%= project.description %> + <%=h project.description %> <%= image_tag 'true' if project.is_public? %> <%= project.projects_count %> <%= format_date(project.created_on) %> diff --git a/app/views/documents/_document.rhtml b/app/views/documents/_document.rhtml new file mode 100644 index 000000000..55864ee82 --- /dev/null +++ b/app/views/documents/_document.rhtml @@ -0,0 +1,3 @@ +

<%= link_to h(document.title), :controller => 'documents', :action => 'show', :id => document %>
+<% unless document.description.empty? %><%=h truncate document.description, 250 %>
<% end %> +<%= format_time(document.created_on) %>

\ No newline at end of file diff --git a/app/views/issues/_history.rhtml b/app/views/issues/_history.rhtml index 6dc2a84be..da58b7d6c 100644 --- a/app/views/issues/_history.rhtml +++ b/app/views/issues/_history.rhtml @@ -6,6 +6,6 @@ <% end %> <% if journal.notes? %> - <%= simple_format auto_link journal.notes %> + <%= simple_format auto_link h(journal.notes) %> <% end %> <% end %> diff --git a/app/views/issues/_list_simple.rhtml b/app/views/issues/_list_simple.rhtml index 94b63d613..cd2355376 100644 --- a/app/views/issues/_list_simple.rhtml +++ b/app/views/issues/_list_simple.rhtml @@ -15,7 +15,7 @@

<%= issue.project.name %> - <%= issue.tracker.name %>
<%= issue.status.name %> - <%= format_time(issue.updated_on) %>

-

<%= link_to issue.subject, :controller => 'issues', :action => 'show', :id => issue %>

+

<%= link_to h(issue.subject), :controller => 'issues', :action => 'show', :id => issue %>

<% end %> diff --git a/app/views/issues/change_status.rhtml b/app/views/issues/change_status.rhtml index 2ef87183d..38ca82ea2 100644 --- a/app/views/issues/change_status.rhtml +++ b/app/views/issues/change_status.rhtml @@ -1,4 +1,4 @@ -

<%=l(:label_issue)%> #<%= @issue.id %>: <%= @issue.subject %>

+

<%=l(:label_issue)%> #<%= @issue.id %>: <%=h @issue.subject %>

<%= error_messages_for 'issue' %> <%= start_form_tag({:action => 'change_status', :id => @issue}, :class => "tabular") %> diff --git a/app/views/issues/show.rhtml b/app/views/issues/show.rhtml index f01612aec..93b8cd008 100644 --- a/app/views/issues/show.rhtml +++ b/app/views/issues/show.rhtml @@ -2,7 +2,7 @@ <%= l(:label_export_to) %><%= link_to 'PDF', {:action => 'export_pdf', :id => @issue}, :class => 'pic picPdf' %> -

<%= @issue.tracker.name %> #<%= @issue.id %> - <%= @issue.subject %>

+

<%= @issue.tracker.name %> #<%= @issue.id %> - <%=h @issue.subject %>

@@ -12,7 +12,7 @@ - + @@ -29,7 +29,7 @@ <% n = 0 for custom_value in @custom_values %> - + <% n = n + 1 if (n > 1) n = 0 %> diff --git a/app/views/my/blocks/_calendar.rhtml b/app/views/my/blocks/_calendar.rhtml index 2d7930f52..fd221bcb4 100644 --- a/app/views/my/blocks/_calendar.rhtml +++ b/app/views/my/blocks/_calendar.rhtml @@ -34,7 +34,7 @@ while day <= @date_to elsif day == i.due_date image_tag('arrow_to') end %> - <%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%= i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %>
+ <%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%=h i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %>
<% end %> <%= '' if day.cwday >= 7 and day!=@date_to %> diff --git a/app/views/my/blocks/_documents.rhtml b/app/views/my/blocks/_documents.rhtml index 5fa8c7980..8e7f6bc50 100644 --- a/app/views/my/blocks/_documents.rhtml +++ b/app/views/my/blocks/_documents.rhtml @@ -1,15 +1,7 @@

<%=l(:label_document_plural)%>

- \ No newline at end of file + :include => [:project])) unless @user.projects.empty? %> \ No newline at end of file diff --git a/app/views/my/blocks/_latest_news.rhtml b/app/views/my/blocks/_latest_news.rhtml index 85430ef54..625603ac0 100644 --- a/app/views/my/blocks/_latest_news.rhtml +++ b/app/views/my/blocks/_latest_news.rhtml @@ -1,13 +1,7 @@

<%=l(:label_news_latest)%>

- \ No newline at end of file +<%= render (:partial => 'news/news', + :collection => News.find(:all, + :limit => 10, + :conditions => "news.project_id in (#{@user.projects.collect{|m| m.id}.join(',')})", + :include => [:project, :author])) unless @user.projects.empty? %> \ No newline at end of file diff --git a/app/views/my/page.rhtml b/app/views/my/page.rhtml index 121d48ca9..989d01397 100644 --- a/app/views/my/page.rhtml +++ b/app/views/my/page.rhtml @@ -1,9 +1,9 @@ -

<%=l(:label_my_page)%>

- -
- <%= link_to l(:label_personalize_page), :action => 'page_layout' %> +
+ <%= link_to l(:label_personalize_page), :action => 'page_layout' %>
+

<%=l(:label_my_page)%>

+
<% @blocks['top'].each do |b| %>
diff --git a/app/views/my/page_layout.rhtml b/app/views/my/page_layout.rhtml index 59a38567d..d3346bd7d 100644 --- a/app/views/my/page_layout.rhtml +++ b/app/views/my/page_layout.rhtml @@ -34,11 +34,10 @@ function removeBlock(block) { -
+
+ <%= start_form_tag({:action => "add_block"}, :id => "block-form") %> - -<%= select_tag 'block', "" + options_for_select(@block_options), :id => "block-select", :class => "select-small" %> - +<%= select_tag 'block', "" + options_for_select(@block_options), :id => "block-select" %> <%= link_to_remote l(:button_add), :url => { :action => "add_block" }, :with => "Form.serialize('block-form')", @@ -48,16 +47,9 @@ function removeBlock(block) { :loading => "Element.show('indicator')", :loaded => "Element.hide('indicator')" %> - -<%= end_form_tag %> -| +<%= end_form_tag %> | <%= link_to l(:button_save), :action => 'page_layout_save' %> | <%= link_to l(:button_cancel), :action => 'page' %> - -
- -
-

<%=l(:label_my_page)%>

diff --git a/app/views/news/_news.rhtml b/app/views/news/_news.rhtml new file mode 100644 index 000000000..75a80d634 --- /dev/null +++ b/app/views/news/_news.rhtml @@ -0,0 +1,4 @@ +

<%= link_to h(news.title), :controller => 'news', :action => 'show', :id => news %>
+<% unless news.summary.empty? %><%=h news.summary %>
<% end %> +<%= news.author.name %>, <%= format_time(news.created_on) %>
+<%= news.comments_count %> <%= lwr(:label_comment, news.comments_count).downcase %>

diff --git a/app/views/news/show.rhtml b/app/views/news/show.rhtml index e5f199fa2..374bf72af 100644 --- a/app/views/news/show.rhtml +++ b/app/views/news/show.rhtml @@ -3,9 +3,9 @@ <%= link_to_if_authorized l(:button_delete), {:controller => 'news', :action => 'destroy', :id => @news}, :confirm => l(:text_are_you_sure), :post => true, :class => 'pic picDelete' %>
-

<%= @news.title %>

+

<%=h @news.title %>

-

<%= @news.summary %>
+

<%=h @news.summary %>
<%= @news.author.display_name %>, <%= format_time(@news.created_on) %>


<%= textilizable auto_link @news.description %> diff --git a/app/views/projects/activity.rhtml b/app/views/projects/activity.rhtml index 9afe8ff25..9a4a07aff 100644 --- a/app/views/projects/activity.rhtml +++ b/app/views/projects/activity.rhtml @@ -18,20 +18,20 @@ <% @events_by_day[day].sort {|x,y| y.created_on <=> x.created_on }.each do |e| %>

  • <% if e.is_a? Issue %> - <%= e.created_on.strftime("%H:%M") %> <%= link_to "#{e.tracker.name} ##{e.id}", :controller => 'issues', :action => 'show', :id => e %> (<%= e.status.name %>): <%= e.subject %>
    + <%= e.created_on.strftime("%H:%M") %> <%= link_to "#{e.tracker.name} ##{e.id}", :controller => 'issues', :action => 'show', :id => e %> (<%= e.status.name %>): <%=h e.subject %>
    <%= e.author.name %> <% elsif e.is_a? News %> - <%= e.created_on.strftime("%H:%M") %> <%=l(:label_news)%>: <%= link_to e.title, :controller => 'news', :action => 'show', :id => e %>
    - <% unless e.summary.empty? %><%= e.summary %>
    <% end %> + <%= e.created_on.strftime("%H:%M") %> <%=l(:label_news)%>: <%= link_to h(e.title), :controller => 'news', :action => 'show', :id => e %>
    + <% unless e.summary.empty? %><%=h e.summary %>
    <% end %> <%= e.author.name %> <% elsif (e.is_a? Attachment) and (e.container.is_a? Version) %> - <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%> (<%= e.container.name %>): <%= link_to e.filename, :controller => 'projects', :action => 'list_files', :id => @project %>
    + <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%> (<%=h e.container.name %>): <%= link_to e.filename, :controller => 'projects', :action => 'list_files', :id => @project %>
    <%= e.author.name %> <% elsif (e.is_a? Attachment) and (e.container.is_a? Document) %> - <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%>: <%= e.filename %> (<%= link_to e.container.title, :controller => 'documents', :action => 'show', :id => e.container %>)
    + <%= e.created_on.strftime("%H:%M") %> <%=l(:label_attachment)%>: <%= e.filename %> (<%= link_to h(e.container.title), :controller => 'documents', :action => 'show', :id => e.container %>)
    <%= e.author.name %> <% elsif e.is_a? Document %> - <%= e.created_on.strftime("%H:%M") %> <%=l(:label_document)%>: <%= link_to e.title, :controller => 'documents', :action => 'show', :id => e %>
    + <%= e.created_on.strftime("%H:%M") %> <%=l(:label_document)%>: <%= link_to h(e.title), :controller => 'documents', :action => 'show', :id => e %>
    <% end %>

    • diff --git a/app/views/projects/calendar.rhtml b/app/views/projects/calendar.rhtml index 2781f98c9..9b0c26ed4 100644 --- a/app/views/projects/calendar.rhtml +++ b/app/views/projects/calendar.rhtml @@ -50,7 +50,7 @@ while day <= @date_to elsif day == i.due_date image_tag('arrow_to') end %> - <%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%= i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %>
    + <%= link_to "#{i.tracker.name} ##{i.id}", :controller => 'issues', :action => 'show', :id => i %>: <%=h i.subject.sub(/^(.{30}[^\s]*\s).*$/, '\1 (...)') %>
    <% end %> <%= '
    ' if day.cwday >= 7 and day!=@date_to %> diff --git a/app/views/projects/changelog.rhtml b/app/views/projects/changelog.rhtml index 081456413..e59df059d 100644 --- a/app/views/projects/changelog.rhtml +++ b/app/views/projects/changelog.rhtml @@ -23,6 +23,6 @@ "> <% end %> diff --git a/app/views/projects/list_documents.rhtml b/app/views/projects/list_documents.rhtml index 0b630e922..c24785f69 100644 --- a/app/views/projects/list_documents.rhtml +++ b/app/views/projects/list_documents.rhtml @@ -8,16 +8,6 @@ <% documents = @documents.group_by {|d| d.category } %> <% documents.each do |category, docs| %> -

    <%= category.name %>

    - +

    <%= category.name %>

    + <%= render :partial => 'documents/document', :collection => docs %> <% end %> \ No newline at end of file diff --git a/app/views/projects/list_issues.rhtml b/app/views/projects/list_issues.rhtml index 5f0d0282a..190aab838 100644 --- a/app/views/projects/list_issues.rhtml +++ b/app/views/projects/list_issues.rhtml @@ -69,7 +69,7 @@     - + diff --git a/app/views/projects/list_news.rhtml b/app/views/projects/list_news.rhtml index 1427c07be..8d8f99668 100644 --- a/app/views/projects/list_news.rhtml +++ b/app/views/projects/list_news.rhtml @@ -5,16 +5,5 @@

    <%=l(:label_news_plural)%>

    <% if @news.empty? %>

    <%= l(:label_no_data) %>

    <% end %> - - - - +<%= render :partial => 'news/news', :collection => @news %> <%= pagination_links_full @news_pages %> diff --git a/app/views/projects/show.rhtml b/app/views/projects/show.rhtml index 79e36a586..46f17d9b9 100644 --- a/app/views/projects/show.rhtml +++ b/app/views/projects/show.rhtml @@ -1,13 +1,13 @@

    <%=l(:label_overview)%>

    - <%= simple_format(auto_link(@project.description)) %> + <%= simple_format(auto_link(h @project.description)) %>
      <% unless @project.homepage.empty? %>
    • <%=l(:field_homepage)%>: <%= auto_link @project.homepage %>
      • <% end %>
    • <%=l(:field_created_on)%>: <%= format_date(@project.created_on) %>
      • <% for custom_value in @custom_values %> <% if !custom_value.value.empty? %> -
    • <%= custom_value.custom_field.name%>: <%= show_value(custom_value) %>
      • +
    • <%= custom_value.custom_field.name%>: <%=h show_value(custom_value) %>
      • <% end %> <% end %>
    @@ -32,7 +32,7 @@ <% end %> <% end %> -
    [ <%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %> ]
    +
    <%= link_to l(:label_issue_view_all), :controller => 'projects', :action => 'list_issues', :id => @project, :set_filter => 1 %>
    @@ -55,13 +55,8 @@

    <%=l(:label_news_latest)%>

    - <% for news in @news %> -

    <%= news.title %> (<%= link_to_user news.author %> <%= format_time(news.created_on) %>)
    - <%= news.summary %> - [<%= link_to l(:label_read), :controller => 'news', :action => 'show', :id => news %>]

    -
    - <% end %> -
    [ <%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %> ]
    + <%= render :partial => 'news/news', :collection => @news %> +
    <%= link_to l(:label_news_view_all), :controller => 'projects', :action => 'list_news', :id => @project %>
    diff --git a/app/views/users/_form.rhtml b/app/views/users/_form.rhtml index 089d4d23c..989cb7559 100644 --- a/app/views/users/_form.rhtml +++ b/app/views/users/_form.rhtml @@ -11,7 +11,7 @@ <% for @custom_value in @custom_values %>

    <%= custom_field_tag_with_label @custom_value %>

    -<% end %> +<% end if @custom_values%>

    <%= f.check_box :admin %>

    <%= f.check_box :mail_notification %>

    diff --git a/app/views/welcome/index.rhtml b/app/views/welcome/index.rhtml index abee85691..24c969e6f 100644 --- a/app/views/welcome/index.rhtml +++ b/app/views/welcome/index.rhtml @@ -4,14 +4,7 @@ <% if $RDM_WELCOME_TEXT %>

    <%= $RDM_WELCOME_TEXT %>


    <% end %>

    <%=l(:label_news_latest)%>

    - <% for news in @news %> -

    - <%= news.title %> (<%= link_to_user news.author %> <%= format_time(news.created_on) %> - <%= news.project.name %>)
    - <% unless news.summary.empty? %><%= news.summary %>
    <% end %> - [<%= link_to l(:label_read), :controller => 'news', :action => 'show', :id => news %>] -

    -
    - <% end %> + <%= render :partial => 'news/news', :collection => @news %>
    @@ -22,7 +15,7 @@ <% for project in @projects %>
  • <%= link_to project.name, :controller => 'projects', :action => 'show', :id => project %> (<%= format_time(project.created_on) %>)
    - <%= project.description %> + <%=h project.description %>
    • <% end %> diff --git a/public/stylesheets/application.css b/public/stylesheets/application.css index f00ffc62a..d85b025fe 100644 --- a/public/stylesheets/application.css +++ b/public/stylesheets/application.css @@ -473,6 +473,9 @@ float: right; font-size: 0.8em; } +.contextual select { +font-size: 1em; +} /***** CSS FORM ******/
    <%=l(:field_assigned_to)%> :<%= @issue.assigned_to ? @issue.assigned_to.name : "-" %><%=l(:field_category)%> :<%= @issue.category ? @issue.category.name : "-" %><%=l(:field_category)%> :<%=h @issue.category ? @issue.category.name : "-" %>
    <%=l(:field_author)%> :<%= link_to_user @issue.author %>
    <%= custom_value.custom_field.name %> :<%= show_value custom_value %><%= custom_value.custom_field.name %> :<%=h show_value custom_value %>
    <%= link_to project.name, :action => 'show', :id => project %> - <%= project.description %> + <%=h project.description %> <%= format_date(project.created_on) %>
    <%= link_to issue.long_id, :controller => 'issues', :action => 'show', :id => issue %> <%= issue.status.name %> <%= issue.tracker.name %><%= link_to issue.subject, :controller => 'issues', :action => 'show', :id => issue %><%= link_to h(issue.subject), :controller => 'issues', :action => 'show', :id => issue %> <%= issue.author.display_name %> <%= format_time(issue.created_on) %> <%= format_time(issue.updated_on) %>