Fix handling teams with special characters in the name.

.rubocop_todo.yml

@@ -1,11 +1,24 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2024-10-19 12:51:15 UTC using RuboCop version 1.67.0.
+# on 2024-10-30 21:24:39 UTC using RuboCop version 1.67.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
+# Offense count: 2
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: link_or_button, strict
+Capybara/ClickLinkOrButtonStyle:
+  Exclude:
+    - 'spec/integration/update_cc_spec.rb'
+
+# Offense count: 3
+Capybara/SpecificActions:
+  Exclude:
+    - 'spec/integration/subscribe_spec.rb'
+    - 'spec/integration/update_cc_spec.rb'
+
 # Offense count: 1
 # Configuration parameters: IgnoreLiteralBranches, IgnoreConstantBranches.
 Lint/DuplicateBranch:
@@ -44,7 +57,7 @@ Naming/MethodParameterName:
     - 'slack-arena/app.rb'
     - 'slack-arena/models/team.rb'
 
-# Offense count: 42
+# Offense count: 43
 RSpec/AnyInstance:
   Exclude:
     - 'spec/api/endpoints/credit_cards_endpoint_spec.rb'
@@ -54,14 +67,15 @@ RSpec/AnyInstance:
     - 'spec/api/endpoints/teams_endpoint_spec.rb'
     - 'spec/api/endpoints/users_endpoint_spec.rb'
     - 'spec/integration/connect_spec.rb'
+    - 'spec/integration/subscribe_spec.rb'
     - 'spec/integration/teams_spec.rb'
     - 'spec/models/arena_channel_spec.rb'
     - 'spec/models/arena_user_spec.rb'
     - 'spec/models/team_spec.rb'
     - 'spec/models/user_spec.rb'
     - 'spec/slack-arena/app_spec.rb'
 
-# Offense count: 69
+# Offense count: 76
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
@@ -91,7 +105,7 @@ RSpec/EmptyExampleGroup:
   Exclude:
     - 'spec/models/arena/mentioned_spec.rb'
 
-# Offense count: 72
+# Offense count: 75
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
   Max: 46
@@ -133,13 +147,13 @@ RSpec/LetSetup:
     - 'spec/slack-arena/commands/info_spec.rb'
     - 'spec/slack-arena/commands/subscription_spec.rb'
 
-# Offense count: 46
+# Offense count: 51
 # Configuration parameters: .
 # SupportedStyles: have_received, receive
 RSpec/MessageSpies:
   EnforcedStyle: receive
 
-# Offense count: 87
+# Offense count: 91
 RSpec/MultipleExpectations:
   Max: 10
 
@@ -181,12 +195,14 @@ RSpec/SpecFilePathFormat:
     - 'spec/slack-arena/service_spec.rb'
     - 'spec/slack-arena/version_spec.rb'
 
-# Offense count: 15
+# Offense count: 17
 RSpec/StubbedMock:
   Exclude:
     - 'spec/api/endpoints/slack_endpoint_spec.rb'
     - 'spec/api/endpoints/subscriptions_endpoint_spec.rb'
     - 'spec/api/endpoints/teams_endpoint_spec.rb'
+    - 'spec/integration/subscribe_spec.rb'
+    - 'spec/integration/update_cc_spec.rb'
     - 'spec/models/arena_channel_spec.rb'
     - 'spec/models/arena_user_spec.rb'
     - 'spec/models/team_spec.rb'
@@ -200,10 +216,9 @@ RSpec/VerifiedDoubles:
   Exclude:
     - 'spec/api/endpoints/teams_endpoint_spec.rb'
 
-# Offense count: 2
+# Offense count: 1
 RSpec/VoidExpect:
   Exclude:
-    - 'spec/integration/connect_spec.rb'
     - 'spec/integration/teams_spec.rb'
 
 # Offense count: 2
@@ -255,7 +270,7 @@ Style/StringConcatenation:
     - 'slack-arena/api/helpers/error_helpers.rb'
     - 'slack-arena/models/team.rb'
 
-# Offense count: 58
+# Offense count: 64
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
 # URISchemes: http, https

CHANGELOG.md

@@ -1,5 +1,7 @@
 ### Changelog
 
+* 2024/10/30: Fix handling teams with special characters in the name - [@dblock](https://github.com/dblock).
+* 2024/10/19: Upgraded to Ruby 3.3.5 - [@dblock](https://github.com/dblock).
 * 2023/01/16: Upgraded to Ruby 2.7.7 - [@dblock](https://github.com/dblock).
 * 2022/01/07: Corrected blank display names when searching for users - [@dblock](https://github.com/dblock).
 * 2018/05/29: Added `/arena search` - [@dblock](https://github.com/dblock).

Gemfile.lock

@@ -1,9 +1,9 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (7.2.1.1)
-      activesupport (= 7.2.1.1)
-    activesupport (7.2.1.1)
+    activemodel (7.2.1.2)
+      activesupport (= 7.2.1.2)
+    activesupport (7.2.1.2)
       base64
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.3.1)
@@ -20,7 +20,7 @@ GEM
       httparty
       json
     ast (2.4.2)
-    async (2.17.0)
+    async (2.18.0)
       console (~> 1.26)
       fiber-annotation
       io-event (~> 1.6, >= 1.6.5)
@@ -60,8 +60,9 @@ GEM
     diff-lcs (1.5.1)
     domain_name (0.6.20240107)
     drb (2.2.1)
-    dry-core (1.0.1)
+    dry-core (1.0.2)
       concurrent-ruby (~> 1.0)
+      logger
       zeitwerk (~> 2.6)
     dry-inflector (1.1.0)
     dry-logic (1.5.0)
@@ -100,7 +101,7 @@ GEM
       fiber-storage
     fiber-storage (1.0.0)
     foreman (0.88.1)
-    gli (2.21.5)
+    gli (2.22.0)
     grape (2.2.0)
       activesupport (>= 6)
       dry-types (>= 1.1)
@@ -131,11 +132,11 @@ GEM
     i18n (1.14.6)
       concurrent-ruby (~> 1.0)
     io-console (0.7.2)
-    io-event (1.7.2)
+    io-event (1.7.3)
     irb (1.14.1)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.7.2)
+    json (2.7.5)
     kaminari-core (1.2.2)
     kaminari-grape (1.0.1)
       grape
@@ -249,19 +250,19 @@ GEM
       rubocop-ast (>= 1.32.2, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.3)
+    rubocop-ast (1.33.0)
       parser (>= 3.3.1.0)
     rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-    rubocop-rspec (3.1.0)
+    rubocop-rspec (3.2.0)
       rubocop (~> 1.61)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
     securerandom (0.3.1)
-    selenium-webdriver (4.25.0)
+    selenium-webdriver (4.26.0)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)

public/connect.html.erb

@@ -24,13 +24,13 @@
       <script>
         $(document).ready(function() {
           var data = {
-            code: "<%= request.params['code'] %>",
+            code: <%= JSON.generate(ERB::Util.html_escape(request.params['code'])) %>,
             channel_id: "<%= channel_id %>"
           };
 
           var user = {
             id: '<%= user && user.id %>',
-            name: '<%= user && user.user_name %>'
+            name: <%= JSON.generate(ERB::Util.html_escape(user && user.user_name)) %>
           }
 
           if (user.id && data.code && data.channel_id) {
@@ -40,12 +40,12 @@
               url: '/api/users/' + user.id,
               data: data,
               success: function(data) {
-                SlackArena.message('Successfully connected your Are.na account. You can now return to Slack.');
+                SlackArena.message('Successfully connected <b>' + user.name + '</b> to Are.na. You can now return to Slack.');
               },
               error: SlackArena.error
             });
           } else {
-            SlackArena.message('Missing or invalid parameters.');
+            SlackArena.errorMessage('Missing or invalid parameters.');
           }
         });
       </script>

public/scripts/arena.js

@@ -8,6 +8,11 @@ $(document).ready(function() {
     });
   };
 
+  SlackArena.errorMessage = function(message) {
+    SlackArena.message(message)
+    $('#messages').addClass('has-error');
+  };
+
   SlackArena.error = function(xhr) {
     try {
       var message;

public/subscribe.html.erb

@@ -26,10 +26,10 @@
           <% team = Team.where(team_id: request.params['team_id']).first %>
 
           var team = {
-            id: '<%= team && team.team_id %>',
-            name: '<%= team && team.name %>',
-            subscribed: <%= !!(team && team.subscribed) %>,
-          }
+            id: "<%= team && team.team_id %>",
+            name: <%= JSON::generate(ERB::Util.html_escape(team && team.name)) %>,
+            subscribed: <%= !!(team && team.subscribed) %>
+          };
 
           if (team.subscribed) {
             SlackArena.message('Team <b>' + team.name + '</b> is already subscribed, thank you for your support.');
@@ -38,7 +38,7 @@
             SlackArena.message('Subscribe team <b>' + team.name + '</b> for $4.99/yr.');
           } else {
             $('#subscribeButton').remove();
-            SlackArena.message('Missing or invalid team ID.');
+            SlackArena.errorMessage('Missing or invalid team ID.');
           }
 
           var handler = StripeCheckout.configure({

public/update_cc.html.erb

@@ -45,13 +45,14 @@
             team_id: "<%= team ? team.id : nil %>"
           };
 
-          if (data.stripe_token) {
+          var team = {
+            id: "<%= team && team.team_id %>",
+            name: <%= JSON::generate(ERB::Util.html_escape(team && team.name)) %>,
+          };
 
-            var team = {
-              id: <%= team ? "'#{team._id}'" : 'null' %>,
-              name: <%= team ? "'#{team.name}'" : 'null' %>
-            };
+          SlackArena.message('Update credit card for team <b>' + team.name + '</b>.');
 
+          if (data.stripe_token && data.stripe_token.length > 0) {
             $.ajax({
               type: 'POST',
               url: '/api/credit_cards',
@@ -62,6 +63,10 @@
               },
               error: SlackArena.error
             });
+          } else if (!data.team_id || data.team_id.length == 0) {
+            SlackArena.errorMessage("Team not found.")
+            $('form').remove();
+            $('#update_cc').hide();
           }
         });
       </script>

spec/integration/connect_spec.rb

@@ -1,20 +1,43 @@
 require 'spec_helper'
 
 describe 'Connect', :js, type: :feature do
-  let(:user) { Fabricate(:user) }
+  context 'without a user' do
+    before do
+      visit '/connect'
+    end
 
-  it 'connects a user to their Arena account', vcr: { cassette_name: 'arena/oauth_token' } do
-    expect_any_instance_of(Slack::Web::Client).to receive(:chat_postEphemeral).with(
-      user: user.user_id,
-      text: 'Successfully connected your Are.na account.',
-      channel: 'C1'
-    )
+    it 'requires a user' do
+      expect(find_by_id('messages')).to have_text('Missing or invalid parameters.')
+    end
+  end
 
-    state = CGI.escape([user.id.to_s, 'C1'].join(','))
-    visit "/connect?code=code&state=#{state}"
-    expect(find_by_id('messages', text: 'Successfully connected your Are.na account. You can now return to Slack.', visible: true))
+  [
+    Faker::Internet.user_name,
+    "#{Faker::Internet.user_name}'s",
+    '💥 bob',
+    'ваня',
+    "\"#{Faker::Internet.user_name}'s\"",
+    "#{Faker::Name.first_name} #{Faker::Name.last_name}",
+    "#{Faker::Name.first_name}\n#{Faker::Name.last_name}",
+    "<script>alert('xss');</script>",
+    '<script>alert("xss");</script>'
+  ].each do |user_name|
+    context "user #{user_name}" do
+      let!(:user) { Fabricate(:user, user_name: user_name) }
 
-    user.reload
-    expect(user.arena_token).to eq 'token'
+      it 'displays connect page and connects a user to their Arena account', vcr: { cassette_name: 'arena/oauth_token' } do
+        expect_any_instance_of(Slack::Web::Client).to receive(:chat_postEphemeral).with(
+          user: user.user_id,
+          text: 'Successfully connected your Are.na account.',
+          channel: 'C1'
+        )
+        allow(User).to receive(:where).with({ id: user.id }).and_return([user])
+        expect(user).to receive(:connect!).with('code', 'C1').and_call_original
+        state = CGI.escape([user.id.to_s, 'C1'].join(','))
+        visit "/connect?state=#{state}&code=code"
+        expect(find_by_id('messages')).to have_text("Successfully connected #{user.user_name.gsub("\n", ' ')} to Are.na. You can now return to Slack.")
+        expect(user.reload.arena_token).to eq 'token'
+      end
+    end
   end
 end