kolan
/
Redmine
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed JSON escaping of filters (#11929). 

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@10465 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang 2012-09-25 18:23:11 +00:00
parent 18d1c62ca8
commit 917a89fbf7
4 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/helpers/application_helper.rb
View File

@ -1029,6 +1029,11 @@ module ApplicationHelper
content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options)) content_tag(:a, name, {:href => '#', :onclick => "#{function}; return false;"}.merge(html_options))
end end
# Helper to render JSON in views
def raw_json(arg)
arg.to_json.to_s.gsub('/', '\/').html_safe
end
def back_url def back_url
url = params[:back_url] url = params[:back_url]
if url.nil? && referer = request.env['HTTP_REFERER'] if url.nil? && referer = request.env['HTTP_REFERER']

10
app/views/queries/_filters.html.erb
View File

@ -1,12 +1,12 @@
<%= javascript_tag do %> <%= javascript_tag do %>
var operatorLabels = <%= raw Query.operators_labels.to_json %>; var operatorLabels = <%= raw_json Query.operators_labels %>;
var operatorByType = <%= raw Query.operators_by_filter_type.to_json %>; var operatorByType = <%= raw_json Query.operators_by_filter_type %>;
var availableFilters = <%= raw query.available_filters_as_json.to_json %>; var availableFilters = <%= raw_json query.available_filters_as_json %>;
var labelDayPlural = "<%= raw escape_javascript(l(:label_day_plural)) %>"; var labelDayPlural = <%= raw_json l(:label_day_plural) %>;
$(document).ready(function(){ $(document).ready(function(){
initFilters(); initFilters();
<% query.filters.each do |field, options| %> <% query.filters.each do |field, options| %>
addFilter("<%= field %>", <%= raw query.operator_for(field).to_json %>, <%= raw query.values_for(field).to_json %>); addFilter("<%= field %>", <%= raw_json query.operator_for(field) %>, <%= raw_json query.values_for(field) %>);
<% end %> <% end %>
}); });
<% end %> <% end %>

12
public/javascripts/application.js
View File

@ -163,9 +163,9 @@ function buildFilterRow(field, operator, values) {
case "date": case "date":
case "date_past": case "date_past":
tr.find('td.values').append( tr.find('td.values').append(
'<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_1" size="10" class="value date_value" value="'+values[0]+'" /></span>' + '<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_1" size="10" class="value date_value" /></span>' +
' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_2" size="10" class="value date_value" value="'+values[1]+'" /></span>' + ' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_2" size="10" class="value date_value" /></span>' +
' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'" size="3" class="value" value="'+values[0]+'" /> '+labelDayPlural+'</span>' ' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'" size="3" class="value" /> '+labelDayPlural+'</span>'
); );
$('#values_'+fieldId+'_1').val(values[0]).datepicker(datepickerOptions); $('#values_'+fieldId+'_1').val(values[0]).datepicker(datepickerOptions);
$('#values_'+fieldId+'_2').val(values[1]).datepicker(datepickerOptions); $('#values_'+fieldId+'_2').val(values[1]).datepicker(datepickerOptions);
@ -174,15 +174,15 @@ function buildFilterRow(field, operator, values) {
case "string": case "string":
case "text": case "text":
tr.find('td.values').append( tr.find('td.values').append(
'<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'" size="30" class="value" value="'+values[0]+'" /></span>' '<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'" size="30" class="value" /></span>'
); );
$('#values_'+fieldId).val(values[0]); $('#values_'+fieldId).val(values[0]);
break; break;
case "integer": case "integer":
case "float": case "float":
tr.find('td.values').append( tr.find('td.values').append(
'<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_1" size="6" class="value" value="'+values[0]+'" /></span>' + '<span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_1" size="6" class="value" /></span>' +
' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_2" size="6" class="value" value="'+values[1]+'" /></span>' ' <span style="display:none;"><input type="text" name="v['+field+'][]" id="values_'+fieldId+'_2" size="6" class="value" /></span>'
); );
$('#values_'+fieldId+'_1').val(values[0]); $('#values_'+fieldId+'_1').val(values[0]);
$('#values_'+fieldId+'_2').val(values[1]); $('#values_'+fieldId+'_2').val(values[1]);

8
test/functional/queries_controller_test.rb
View File

@ -273,4 +273,12 @@ class QueriesControllerTest < ActionController::TestCase
assert_redirected_to :controller => 'issues', :action => 'index', :project_id => 'ecookbook', :set_filter => 1, :query_id => nil assert_redirected_to :controller => 'issues', :action => 'index', :project_id => 'ecookbook', :set_filter => 1, :query_id => nil
assert_nil Query.find_by_id(1) assert_nil Query.find_by_id(1)
end end
def test_backslash_should_be_escaped_in_filters
@request.session[:user_id] = 2
get :new, :subject => 'foo/bar'
assert_response :success
assert_template 'new'
assert_include 'addFilter("subject", "=", ["foo\/bar"]);', response.body
end
end end