From 662e359acbf268d881ed92b3cd0dca2ceb0cf819 Mon Sep 17 00:00:00 2001 From: Didier Lafforgue Date: Thu, 24 May 2012 19:19:46 +0200 Subject: [PATCH] fix issue #393 --- app/views/locomotive/content_entries/_form.html.haml | 2 +- app/views/locomotive/content_types/_form.html.haml | 4 ++-- app/views/locomotive/current_site/_form.html.haml | 2 +- .../custom_fields/types/_many_to_many.html.haml | 2 +- app/views/locomotive/my_account/edit.html.haml | 2 +- app/views/locomotive/pages/_form.html.haml | 2 +- .../locomotive/public/pages/show_toolbar.html.haml | 4 ++-- app/views/locomotive/shared/_head.html.haml | 4 ++-- app/views/locomotive/snippets/_form.html.haml | 2 +- app/views/locomotive/theme_assets/_form.html.haml | 2 +- app/views/locomotive/theme_assets/index.html.haml | 10 +++++----- lib/locomotive.rb | 1 + lib/locomotive/rails.rb | 1 + lib/locomotive/rails/action_view.rb | 9 +++++++++ 14 files changed, 29 insertions(+), 18 deletions(-) create mode 100644 lib/locomotive/rails.rb create mode 100644 lib/locomotive/rails/action_view.rb diff --git a/app/views/locomotive/content_entries/_form.html.haml b/app/views/locomotive/content_entries/_form.html.haml index a74e0c45..8ee4eaf3 100644 --- a/app/views/locomotive/content_entries/_form.html.haml +++ b/app/views/locomotive/content_entries/_form.html.haml @@ -3,7 +3,7 @@ - content_for :backbone_view_data do :plain - content_entry: #{@content_entry.to_json} + content_entry: #{j @content_entry.to_json.html_safe} = f.inputs :name => :attributes do - @content_type.ordered_entries_custom_fields.each_with_index do |field, index| diff --git a/app/views/locomotive/content_types/_form.html.haml b/app/views/locomotive/content_types/_form.html.haml index c8f15b5d..c39a61ee 100644 --- a/app/views/locomotive/content_types/_form.html.haml +++ b/app/views/locomotive/content_types/_form.html.haml @@ -3,8 +3,8 @@ - content_for :backbone_view_data do :plain - content_type: #{@content_type.persisted? ? @content_type.to_json : 'null'}, - inverse_of_list: #{options_for_content_type_inverse_of.to_json} + content_type: #{j @content_type.persisted? ? @content_type.to_json.html_safe : 'null'}, + inverse_of_list: #{j options_for_content_type_inverse_of.to_json.html_safe} = f.inputs :name => :information do diff --git a/app/views/locomotive/current_site/_form.html.haml b/app/views/locomotive/current_site/_form.html.haml index 503c2741..88af42fa 100644 --- a/app/views/locomotive/current_site/_form.html.haml +++ b/app/views/locomotive/current_site/_form.html.haml @@ -4,7 +4,7 @@ - content_for :backbone_view_data do :plain - site: #{@site.to_json(:current_account => current_locomotive_account, :current_site => current_site)}, + site: #{j @site.to_json(:current_account => current_locomotive_account, :current_site => current_site).html_safe}, errors: #{@site.errors.to_json} = f.inputs :name => :information do diff --git a/app/views/locomotive/custom_fields/types/_many_to_many.html.haml b/app/views/locomotive/custom_fields/types/_many_to_many.html.haml index 6680b1fa..1c7e0b0a 100644 --- a/app/views/locomotive/custom_fields/types/_many_to_many.html.haml +++ b/app/views/locomotive/custom_fields/types/_many_to_many.html.haml @@ -38,4 +38,4 @@ - content_for :backbone_view_data do :plain - , all_#{name}_entries: #{target_content_type.list_or_group_entries.to_json(:depth => 1)} \ No newline at end of file + , all_#{name}_entries: #{j target_content_type.list_or_group_entries.to_json(:depth => 1).html_safe} \ No newline at end of file diff --git a/app/views/locomotive/my_account/edit.html.haml b/app/views/locomotive/my_account/edit.html.haml index 8db6f987..994e1418 100644 --- a/app/views/locomotive/my_account/edit.html.haml +++ b/app/views/locomotive/my_account/edit.html.haml @@ -2,7 +2,7 @@ - content_for :backbone_view_data do :plain - account: #{@account.to_json} + account: #{j @account.to_json.html_safe} - content_for :submenu do = render_cell 'locomotive/settings_menu', :show diff --git a/app/views/locomotive/pages/_form.html.haml b/app/views/locomotive/pages/_form.html.haml index 88179ff4..990945a8 100644 --- a/app/views/locomotive/pages/_form.html.haml +++ b/app/views/locomotive/pages/_form.html.haml @@ -5,7 +5,7 @@ - content_for :backbone_view_data do :plain - page: #{@page.to_presenter.as_json_for_html_view.to_json} + page: #{j @page.to_presenter.as_json_for_html_view.to_json.html_safe} - if can?(:manage, @page) diff --git a/app/views/locomotive/public/pages/show_toolbar.html.haml b/app/views/locomotive/public/pages/show_toolbar.html.haml index 909ac165..8aa8d068 100644 --- a/app/views/locomotive/public/pages/show_toolbar.html.haml +++ b/app/views/locomotive/public/pages/show_toolbar.html.haml @@ -20,8 +20,8 @@ window.content_locale = '#{::Mongoid::Fields::I18n.locale}'; Locomotive.mounted_on = '#{Locomotive.mounted_on}'; - Locomotive.current_site = new Locomotive.Models.Site(#{current_site.to_json}); - Locomotive.current_account = new Locomotive.Models.Account(#{current_locomotive_account.to_json}); + Locomotive.current_site = new Locomotive.Models.Site(#{j current_site.to_json.html_safe}); + Locomotive.current_account = new Locomotive.Models.Account(#{j current_locomotive_account.to_json.html_safe}); $(document).ready(function() { diff --git a/app/views/locomotive/shared/_head.html.haml b/app/views/locomotive/shared/_head.html.haml index 754413bd..06b04ddf 100644 --- a/app/views/locomotive/shared/_head.html.haml +++ b/app/views/locomotive/shared/_head.html.haml @@ -19,8 +19,8 @@ window.locale = '#{I18n.locale}'; window.content_locale = '#{::Mongoid::Fields::I18n.locale}'; - Locomotive.current_site = new Locomotive.Models.Site(#{current_site.to_presenter.as_json_for_html_view.to_json}); - Locomotive.current_account = new Locomotive.Models.Account(#{current_locomotive_account.to_json}); + Locomotive.current_site = new Locomotive.Models.Site(#{j current_site.to_presenter.as_json_for_html_view.to_json.html_safe}); + Locomotive.current_account = new Locomotive.Models.Account(#{j current_locomotive_account.to_json.html_safe}); $(document).ready(function() { diff --git a/app/views/locomotive/snippets/_form.html.haml b/app/views/locomotive/snippets/_form.html.haml index b2e3b3eb..e8686267 100644 --- a/app/views/locomotive/snippets/_form.html.haml +++ b/app/views/locomotive/snippets/_form.html.haml @@ -3,7 +3,7 @@ - content_for :backbone_view_data do :plain - snippet: #{@snippet.persisted? ? @snippet.to_presenter.as_json_for_html_view.to_json : 'null'} + snippet: #{j @snippet.persisted? ? @snippet.to_presenter.as_json_for_html_view.to_json.html_safe : 'null'} = f.inputs :name => :information do = f.input :name, :wrapper_html => { :class => 'highlighted' } diff --git a/app/views/locomotive/theme_assets/_form.html.haml b/app/views/locomotive/theme_assets/_form.html.haml index 8a07a300..175c6102 100644 --- a/app/views/locomotive/theme_assets/_form.html.haml +++ b/app/views/locomotive/theme_assets/_form.html.haml @@ -3,7 +3,7 @@ - content_for :backbone_view_data do :plain - theme_asset: #{@theme_asset.persisted? ? @theme_asset.to_json : 'null'} + theme_asset: #{j @theme_asset.persisted? ? @theme_asset.to_json.html_safe : 'null'} = f.hidden_field :performing_plain_text diff --git a/app/views/locomotive/theme_assets/index.html.haml b/app/views/locomotive/theme_assets/index.html.haml index 7c9e92ff..23904118 100644 --- a/app/views/locomotive/theme_assets/index.html.haml +++ b/app/views/locomotive/theme_assets/index.html.haml @@ -16,11 +16,11 @@ - content_for :backbone_view_data do :plain - snippets: #{can?(:manage, Locomotive::Snippet) ? @snippets.map { |snippet| snippet.to_presenter.as_json_for_html_view }.to_json : 'null'}, - images: #{theme_assets_to_json(@assets[:images])}, - media: #{theme_assets_to_json(@assets[:media])}, - js_and_css_assets: #{can?(:manage, Locomotive::ThemeAsset) ? theme_assets_to_json(@js_and_css_assets) : 'null'}, - fonts: #{can?(:manage, Locomotive::ThemeAsset) ? theme_assets_to_json(@assets[:fonts]) : 'null'} + snippets: #{j can?(:manage, Locomotive::Snippet) ? @snippets.map { |snippet| snippet.to_presenter.as_json_for_html_view }.to_json.html_safe : 'null'}, + images: #{j theme_assets_to_json(@assets[:images]).html_safe}, + media: #{j theme_assets_to_json(@assets[:media]).html_safe}, + js_and_css_assets: #{j can?(:manage, Locomotive::ThemeAsset) ? theme_assets_to_json(@js_and_css_assets).html_safe : 'null'}, + fonts: #{j can?(:manage, Locomotive::ThemeAsset) ? theme_assets_to_json(@assets[:fonts]).html_safe : 'null'} - content_for :submenu do = render_cell 'locomotive/settings_menu', :show diff --git a/lib/locomotive.rb b/lib/locomotive.rb index e15c1310..d8d3d46d 100644 --- a/lib/locomotive.rb +++ b/lib/locomotive.rb @@ -12,6 +12,7 @@ require 'locomotive/carrierwave' require 'locomotive/custom_fields' require 'locomotive/httparty' require 'locomotive/action_controller' +require 'locomotive/rails' require 'locomotive/routing' require 'locomotive/regexps' require 'locomotive/render' diff --git a/lib/locomotive/rails.rb b/lib/locomotive/rails.rb new file mode 100644 index 00000000..13b6affe --- /dev/null +++ b/lib/locomotive/rails.rb @@ -0,0 +1 @@ +require 'locomotive/rails/action_view' \ No newline at end of file diff --git a/lib/locomotive/rails/action_view.rb b/lib/locomotive/rails/action_view.rb new file mode 100644 index 00000000..eda5633d --- /dev/null +++ b/lib/locomotive/rails/action_view.rb @@ -0,0 +1,9 @@ +# http://jfire.io/blog/2012/04/30/how-to-securely-bootstrap-json-in-a-rails-view/ +class ActionView::Base + def json_escape(s) + result = s.to_s.gsub('/', '\/') + s.html_safe? ? result.html_safe : result + end + + alias j json_escape +end \ No newline at end of file