Merge pull request #3117 from refinery/bugfix/3097

Bugfix #3097
refinery · Mar 5, 2016 · 9f4c336 · 9f4c336
2 parents 9b2597c + 8d27789
commit 9f4c336
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 6 deletions.
diff --git a/core/app/helpers/refinery/tag_helper.rb b/core/app/helpers/refinery/tag_helper.rb
@@ -5,7 +5,8 @@ module TagHelper
 
     # Remember to wrap your block with <span class='label_with_help'></span> if you're using a label next to the help tag.
     def refinery_help_tag(title='Tip')
-      action_icon(:info, '#', title.html_safe? ? title : h(title), {tooltip: title})
+      title = title.html_safe? ? title : h(title)
+      action_icon(:info, '#', title, {tooltip: title})
     end
 
     # This is just a quick wrapper to render an image tag that lives inside refinery/icons.

diff --git a/core/app/views/layouts/refinery/admin.html.erb b/core/app/views/layouts/refinery/admin.html.erb
@@ -1,6 +1,6 @@
 <!DOCTYPE html>
 <%= render '/refinery/html_tag' %>
-  <% content_for :meta, "<meta refinerycms='#{Refinery.version}' />".html_safe %>
+  <% content_for :meta, tag(:meta, name: 'refinerycms', content: Refinery.version) %>
   <%= render 'refinery/admin/head' %>
   <body class="<%= action_name %> <%= I18n.locale %>">
     <%= render '/refinery/site_bar' %>

diff --git a/core/app/views/refinery/_head.html.erb b/core/app/views/refinery/_head.html.erb
@@ -1,8 +1,8 @@
 <meta charset='<%= Rails.application.config.encoding %>' />
 <!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" /><![endif]-->
 <title><%= browser_title(yield(:title)) %></title>
-<%= raw %(<meta name="description" content="#{@meta.meta_description}" />) if @meta.meta_description.present? -%>
-<%= raw %(<link rel="canonical" href="#{request.protocol}#{request.host_with_port}#{@canonical}" />) if @canonical.present? -%>
+<%= tag(:meta, name: 'description', content: @meta.meta_description) if @meta.meta_description.present? -%>
+<%= tag(:link, href: request.protocol+request.host_with_port+@canonical, rel: 'canonical') if @canonical.present? -%>
 <%= csrf_meta_tags if Refinery::Core.authenticity_token_on_frontend -%>
 <%= yield :meta %>
 

diff --git a/core/lib/refinery/core/engine.rb b/core/lib/refinery/core/engine.rb
@@ -36,7 +36,7 @@ def refinery_inclusion!
       # Wrap errors in spans
       config.to_prepare do
         ActionView::Base.field_error_proc = Proc.new do |html_tag, instance|
-          "<span class=\"fieldWithErrors\">#{html_tag}</span>".html_safe
+          ActionController::Base.helpers.content_tag(:span, html_tag, class: "fieldWithErrors")
         end
       end
 

diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb
@@ -11,6 +11,7 @@ module Pages
     # Sections may be hidden, in which case they wont display at all.
     class SectionPresenter
       include ActionView::Helpers::TagHelper
+      include ActionView::Helpers::SanitizeHelper
 
       def initialize(initial_hash = {})
         initial_hash.map do |key, value|
@@ -62,6 +63,10 @@ def html_from_fallback(can_use_fallback)
       attr_writer :id, :fallback_html, :hidden
 
       def wrap_content_in_tag(content)
+        content = sanitize(content,
+          tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS,
+          attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
+        )
         content_tag(:section, content_tag(:div, content, :class => 'inner'), :id => id)
       end
     end

diff --git a/pages/app/presenters/refinery/pages/title_section_presenter.rb b/pages/app/presenters/refinery/pages/title_section_presenter.rb
@@ -7,7 +7,7 @@ class TitleSectionPresenter < SectionPresenter
     private
 
       def wrap_content_in_tag(content)
-        content_tag(:h1, content, :id => id)
+        content_tag(:h1, sanitize(content), :id => id)
       end
     end
   end