Defect #41853 » 0001-Escape-labels-in-principals_check_box_tag.patch
| app/helpers/application_helper.rb | ||
|---|---|---|
| 655 | 655 |
principal_check_box << check_box_tag(name, principal.id, false, :id => nil) |
| 656 | 656 |
principal_check_box << avatar(principal, :size => 16).to_s if principal.is_a?(User) |
| 657 | 657 |
principal_check_box << content_tag('span', principal_icon(principal), :class => "name icon icon-#{principal.class.to_s.downcase}")
|
| 658 |
principal_check_box << principal.to_s
|
|
| 658 |
principal_check_box << h(principal.to_s)
|
|
| 659 | 659 |
s << content_tag('label', principal_check_box.html_safe)
|
| 660 | 660 |
end |
| 661 | 661 |
s.html_safe |
| test/helpers/application_helper_test.rb | ||
|---|---|---|
| 2046 | 2046 |
end |
| 2047 | 2047 |
end |
| 2048 | 2048 | |
| 2049 |
def test_principals_check_box_tag_should_escape_principal_name |
|
| 2050 |
User.find(1).update!(firstname: "firstname<>'", lastname: 'lastname&"') |
|
| 2051 | ||
| 2052 |
tags = principals_check_box_tags('watcher[user_ids][]', [User.find(1)])
|
|
| 2053 |
assert_include 'firstname<>' lastname&"', tags |
|
| 2054 |
end |
|
| 2055 | ||
| 2049 | 2056 |
def test_principals_options_for_select_with_users |
| 2050 | 2057 |
User.current = nil |
| 2051 | 2058 |
users = [User.find(2), User.find(4)] |
