From 917a89fbf7cef339431c5d873bcbcbccea15ce1e Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Tue, 25 Sep 2012 18:23:11 +0000 Subject: [PATCH] Fixed JSON escaping of filters (#11929). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10465 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/helpers/application_helper.rb | 5 +++++ app/views/queries/_filters.html.erb | 10 +++++----- public/javascripts/application.js | 12 ++++++------ test/functional/queries_controller_test.rb | 8 ++++++++ 4 files changed, 24 insertions(+), 11 deletions(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index dc65edabd..bcccfd29b 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -1029,6 +1029,11 @@ module ApplicationHelper content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options)) end + # Helper to render JSON in views + def raw_json(arg) + arg.to_json.to_s.gsub('/', '\/').html_safe + end + def back_url url = params[:back_url] if url.nil? && referer = request.env['HTTP_REFERER'] diff --git a/app/views/queries/_filters.html.erb b/app/views/queries/_filters.html.erb index 80b06c10a..f9e371b7e 100644 --- a/app/views/queries/_filters.html.erb +++ b/app/views/queries/_filters.html.erb @@ -1,12 +1,12 @@ <%= javascript_tag do %> -var operatorLabels = <%= raw Query.operators_labels.to_json %>; -var operatorByType = <%= raw Query.operators_by_filter_type.to_json %>; -var availableFilters = <%= raw query.available_filters_as_json.to_json %>; -var labelDayPlural = "<%= raw escape_javascript(l(:label_day_plural)) %>"; +var operatorLabels = <%= raw_json Query.operators_labels %>; +var operatorByType = <%= raw_json Query.operators_by_filter_type %>; +var availableFilters = <%= raw_json query.available_filters_as_json %>; +var labelDayPlural = <%= raw_json l(:label_day_plural) %>; $(document).ready(function(){ initFilters(); <% query.filters.each do |field, options| %> - addFilter("<%= field %>", <%= raw query.operator_for(field).to_json %>, <%= raw query.values_for(field).to_json %>); + addFilter("<%= field %>", <%= raw_json query.operator_for(field) %>, <%= raw_json query.values_for(field) %>); <% end %> }); <% end %> diff --git a/public/javascripts/application.js b/public/javascripts/application.js index 7346257dc..b135df6a5 100644 --- a/public/javascripts/application.js +++ b/public/javascripts/application.js @@ -163,9 +163,9 @@ function buildFilterRow(field, operator, values) { case "date": case "date_past": tr.find('td.values').append( - '' + - ' ' + - ' '+labelDayPlural+'' + '' + + ' ' + + ' '+labelDayPlural+'' ); $('#values_'+fieldId+'_1').val(values[0]).datepicker(datepickerOptions); $('#values_'+fieldId+'_2').val(values[1]).datepicker(datepickerOptions); @@ -174,15 +174,15 @@ function buildFilterRow(field, operator, values) { case "string": case "text": tr.find('td.values').append( - '' + '' ); $('#values_'+fieldId).val(values[0]); break; case "integer": case "float": tr.find('td.values').append( - '' + - ' ' + '' + + ' ' ); $('#values_'+fieldId+'_1').val(values[0]); $('#values_'+fieldId+'_2').val(values[1]); diff --git a/test/functional/queries_controller_test.rb b/test/functional/queries_controller_test.rb index 5ffc31f8a..aae7e93bc 100644 --- a/test/functional/queries_controller_test.rb +++ b/test/functional/queries_controller_test.rb @@ -273,4 +273,12 @@ class QueriesControllerTest < ActionController::TestCase assert_redirected_to :controller => 'issues', :action => 'index', :project_id => 'ecookbook', :set_filter => 1, :query_id => nil assert_nil Query.find_by_id(1) end + + def test_backslash_should_be_escaped_in_filters + @request.session[:user_id] = 2 + get :new, :subject => 'foo/bar' + assert_response :success + assert_template 'new' + assert_include 'addFilter("subject", "=", ["foo\/bar"]);', response.body + end end