Merge pull request #595 from sgmap/remove_html_safe

Remove html safe
This commit is contained in:
gregoirenovel 2017-07-13 10:38:09 +02:00 committed by GitHub
commit bf775b4b2b
25 changed files with 38 additions and 37 deletions

View file

@ -56,7 +56,7 @@ jobs:
bundle exec rspec --color --require spec_helper -- ${TESTFILES} bundle exec rspec --color --require spec_helper -- ${TESTFILES}
- run: - run:
name: Run rubocop name: Run rubocop
command: bundle exec rubocop command: bundle exec rubocop -R
- run: - run:
name: Run haml-lint name: Run haml-lint
command: bundle exec haml-lint app/views/ command: bundle exec haml-lint app/views/

View file

@ -570,7 +570,7 @@ Rails/Output:
Enabled: false Enabled: false
Rails/OutputSafety: Rails/OutputSafety:
Enabled: false Enabled: true
Rails/PluralizationGrammar: Rails/PluralizationGrammar:
Enabled: false Enabled: false

View file

@ -48,7 +48,7 @@ class Admin::GestionnairesController < AdminController
flash.notice = 'Accompagnateur ajouté' flash.notice = 'Accompagnateur ajouté'
GestionnaireMailer.new_gestionnaire(@gestionnaire.email, @gestionnaire.password).deliver_now! GestionnaireMailer.new_gestionnaire(@gestionnaire.email, @gestionnaire.password).deliver_now!
else else
flash.alert = @gestionnaire.errors.full_messages.join('<br />').html_safe flash.alert = @gestionnaire.errors.full_messages
end end
end end

View file

@ -71,7 +71,7 @@ class Admin::ProceduresController < AdminController
@procedure.module_api_carto = ModuleAPICarto.new(create_module_api_carto_params) if @procedure.valid? @procedure.module_api_carto = ModuleAPICarto.new(create_module_api_carto_params) if @procedure.valid?
unless @procedure.save unless @procedure.save
flash.now.alert = @procedure.errors.full_messages.join('<br />').html_safe flash.now.alert = @procedure.errors.full_messages
return render 'new' return render 'new'
end end
@ -83,7 +83,7 @@ class Admin::ProceduresController < AdminController
@procedure = current_administrateur.procedures.find(params[:id]) @procedure = current_administrateur.procedures.find(params[:id])
unless @procedure.update_attributes(procedure_params) unless @procedure.update_attributes(procedure_params)
flash.now.alert = @procedure.errors.full_messages.join('<br />').html_safe flash.now.alert = @procedure.errors.full_messages
return render 'edit' return render 'edit'
end end
@ -166,7 +166,7 @@ class Admin::ProceduresController < AdminController
flash.notice = 'Procédure clonée' flash.notice = 'Procédure clonée'
redirect_to edit_admin_procedure_path(id: new_procedure.id) redirect_to edit_admin_procedure_path(id: new_procedure.id)
else else
flash.now.alert = procedure.errors.full_messages.join('<br />').html_safe flash.now.alert = procedure.errors.full_messages
render 'index' render 'index'
end end

View file

@ -20,7 +20,7 @@ class AdministrationsController < ApplicationController
flash.notice = "Administrateur créé" flash.notice = "Administrateur créé"
NewAdminMailer.new_admin_email(admin).deliver_now! NewAdminMailer.new_admin_email(admin).deliver_now!
else else
flash.alert = admin.errors.full_messages.join('<br>').html_safe flash.alert = admin.errors.full_messages
end end
redirect_to administrations_path redirect_to administrations_path

View file

@ -32,7 +32,7 @@ class CommentairesController < ApplicationController
if pj.errors.empty? if pj.errors.empty?
@commentaire.piece_justificative = pj @commentaire.piece_justificative = pj
else else
flash.alert = pj.errors.full_messages.join("<br>").html_safe flash.alert = pj.errors.full_messages
end end
end end

View file

@ -18,7 +18,7 @@ class InvitesController < ApplicationController
flash.notice = "Invitation envoyée (#{invite.email})" flash.notice = "Invitation envoyée (#{invite.email})"
else else
flash.alert = invite.errors.full_messages.join('<br />').html_safe flash.alert = invite.errors.full_messages
end end
if gestionnaire_signed_in? if gestionnaire_signed_in?

View file

@ -69,16 +69,16 @@ class Users::DescriptionController < UsersController
unless params[:cerfa_pdf].nil? unless params[:cerfa_pdf].nil?
cerfa = Cerfa.new(content: params[:cerfa_pdf], dossier: @dossier, user: current_user) cerfa = Cerfa.new(content: params[:cerfa_pdf], dossier: @dossier, user: current_user)
unless cerfa.save unless cerfa.save
flash.alert = cerfa.errors.full_messages.join('<br />').html_safe flash.alert = cerfa.errors.full_messages
end end
end end
end end
if !((errors_upload = PiecesJustificativesService.upload!(@dossier, current_user, params)).empty?) if !((errors_upload = PiecesJustificativesService.upload!(@dossier, current_user, params)).empty?)
if flash.alert.nil? if flash.alert.nil?
flash.alert = errors_upload.join('<br>').html_safe flash.alert = errors_upload
else else
flash.alert = (flash.alert + '<br />' + errors_upload.join('<br>').html_safe).html_safe flash.alert = [flash.alert] + errors_upload
end end
else else
@ -100,7 +100,7 @@ class Users::DescriptionController < UsersController
private private
def redirect_to_description_with_errors(dossier, errors) def redirect_to_description_with_errors(dossier, errors)
flash.alert = errors.join('<br>') flash.alert = errors
redirect_to users_dossier_description_path(dossier_id: dossier.id) redirect_to users_dossier_description_path(dossier_id: dossier.id)
end end

View file

@ -133,7 +133,7 @@ class Users::DossiersController < UsersController
if checked_autorisation_donnees? if checked_autorisation_donnees?
unless Dossier.find(@facade.dossier.id).update_attributes update_params_with_formatted_birthdate unless Dossier.find(@facade.dossier.id).update_attributes update_params_with_formatted_birthdate
flash.alert = @facade.dossier.errors.full_messages.join('<br />').html_safe flash.alert = @facade.dossier.errors.full_messages
return redirect_to users_dossier_path(id: @facade.dossier.id) return redirect_to users_dossier_path(id: @facade.dossier.id)
end end

View file

@ -14,6 +14,6 @@ class ChampDecorator < Draper::Decorator
end end
def description_with_links def description_with_links
description.gsub(URI.regexp, '<a target="_blank" href="\0">\0</a>').html_safe if description description.gsub(URI.regexp, '<a target="_blank" href="\0">\0</a>') if description
end end
end end

View file

@ -1,4 +1,4 @@
<% flash.each do |type, message| %> <% flash.each do |type, message| %>
$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000) $("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
<% end %> <% end %>
$('#piece_justificative_form').html("<%= escape_javascript(render partial: 'form', locals: { procedure: @procedure } ) %>"); $('#piece_justificative_form').html("<%= escape_javascript(render partial: 'form', locals: { procedure: @procedure } ) %>");

View file

@ -60,7 +60,7 @@
%h4.text-info %h4.text-info
= @facade.procedure.libelle = @facade.procedure.libelle
= h @facade.procedure.description.html_safe = h sanitize(@facade.procedure.description)
.champs.col-xs-6.col-md-3 .champs.col-xs-6.col-md-3
%h4.text-info %h4.text-info

View file

@ -2,7 +2,7 @@
transfer_errors_message(true); transfer_errors_message(true);
<%- else %> <%- else %>
$("#main-container").prepend("<div class='row'><div id='flash_message'></div></div>"); $("#main-container").prepend("<div class='row'><div id='flash_message'></div></div>");
$("#flash_message").prepend("<div class=\"alert alert-success\"> <%= flash.notice.html_safe %></div>"); $("#flash_message").prepend("<div class=\"alert alert-success\"> <%= sanitize(flash.notice) %></div>");
<% flash.clear %> <% flash.clear %>
transfer_errors_message(false); transfer_errors_message(false);

View file

@ -1,5 +1,5 @@
<% flash.each do |type, message| %> <% flash.each do |type, message| %>
$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000) $("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
<% end %> <% end %>
$('#liste-champ').html("<%= escape_javascript(render partial: 'admin/types_de_champ/form', locals: { procedure: @procedure, types_de_champ: @types_de_champ } ) %>"); $('#liste-champ').html("<%= escape_javascript(render partial: 'admin/types_de_champ/form', locals: { procedure: @procedure, types_de_champ: @types_de_champ } ) %>");
on_change_type_de_champ_select (); on_change_type_de_champ_select ();

View file

@ -53,7 +53,7 @@
%td.center %td.center
- if current_gestionnaire.follow?(dossier.id) - if current_gestionnaire.follow?(dossier.id)
= link_to('Quitter'.html_safe, backoffice_dossier_follow_path(dossier_id: dossier.id), 'data-method' => :put, class: 'btn-sm btn-danger', id: "suivre_dossier_#{dossier.id}") = link_to('Quitter', backoffice_dossier_follow_path(dossier_id: dossier.id), 'data-method' => :put, class: 'btn-sm btn-danger', id: "suivre_dossier_#{dossier.id}")
- else - else
= link_to('Suivre', backoffice_dossier_follow_path(dossier_id: dossier.id), 'data-method' => :put, class: 'btn-sm btn-primary', id: "suivre_dossier_#{dossier.id}") = link_to('Suivre', backoffice_dossier_follow_path(dossier_id: dossier.id), 'data-method' => :put, class: 'btn-sm btn-primary', id: "suivre_dossier_#{dossier.id}")
%td.center{ style: "color: #{dossier.total_follow == 0 ? 'red' : ''}" } %td.center{ style: "color: #{dossier.total_follow == 0 ? 'red' : ''}" }

View file

@ -1,4 +1,4 @@
<% flash.each do |type, message| %> <% flash.each do |type, message| %>
$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000) $("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
<% end %> <% end %>
<% flash.clear %> <% flash.clear %>

View file

@ -16,9 +16,9 @@
= @facade.procedure.libelle = @facade.procedure.libelle
%p#description_procedure{ style: 'width: 95%;', class: (@facade.entreprise.nil? ? '' : 'mask') } %p#description_procedure{ style: 'width: 95%;', class: (@facade.entreprise.nil? ? '' : 'mask') }
= h @facade.procedure.description.html_safe = h sanitize(@facade.procedure.description)
- unless @facade.procedure.lien_site_web.blank? - unless @facade.procedure.lien_site_web.blank?
.center .center
%a{ href: "#{@facade.procedure.lien_site_web.html_safe}", target: '_blank' } %a{ href: @facade.procedure.lien_site_web, target: '_blank' }
En savoir plus ... En savoir plus ...

View file

@ -36,8 +36,7 @@
%p %p
%label{ style: 'font-weight: normal;' } %label{ style: 'font-weight: normal;' }
= f.check_box :autorisation_donnees = f.check_box :autorisation_donnees
= "&nbsp;".html_safe  Vos informations personnelles ne seront jamais utilisées dans un but lucratif ou commercial. Elles ne pourront être communiquées à de tierces personnes sans votre accord préalable. Elles pourront en revanche être communiquées aux administrations compétentes afin d'instruire votre dossier, conformément à la déclaration CNIL effectuée par le service TPS.
Vos informations personnelles ne seront jamais utilisées dans un but lucratif ou commercial. Elles ne pourront être communiquées à de tierces personnes sans votre accord préalable. Elles pourront en revanche être communiquées aux administrations compétentes afin d'instruire votre dossier, conformément à la déclaration CNIL effectuée par le service TPS.
= link_to 'en savoir plus', cgu_path, target: '_blank' = link_to 'en savoir plus', cgu_path, target: '_blank'
.row .row
.col-xs-5.col-xs-5 .col-xs-5.col-xs-5

View file

@ -23,9 +23,10 @@
dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_construction.count}</span> depuis plus de 7 jours dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_construction.count}</span> depuis plus de 7 jours
- if procedure_overview.old_dossiers_en_construction.count < 6 - if procedure_overview.old_dossiers_en_construction.count < 6
\: \:
= procedure_overview.old_dossiers_en_construction.map do |old_dossier| - old_dossiers_en_construction = procedure_overview.old_dossiers_en_construction.map do |old_dossier|
- link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;' - link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;'
- end.join(', ').html_safe - end.join(', ')
= sanitize(old_dossiers_en_construction, attributes: %w(href style))
- if procedure_overview.dossiers_en_instruction_count > 0 - if procedure_overview.dossiers_en_instruction_count > 0
%tr %tr
@ -36,9 +37,10 @@
dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_instruction.count}</span> depuis plus de 7 jours dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_instruction.count}</span> depuis plus de 7 jours
- if procedure_overview.old_dossiers_en_instruction.count < 6 - if procedure_overview.old_dossiers_en_instruction.count < 6
\: \:
= procedure_overview.old_dossiers_en_instruction.map do |old_dossier| - old_dossiers_en_instruction = procedure_overview.old_dossiers_en_instruction.map do |old_dossier|
- link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;' - link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;'
- end.join(', ').html_safe - end.join(', ')
= sanitize(old_dossiers_en_instruction, attributes: %w(href style))
- if index != (@args[:procedure_overviews].count - 1) - if index != (@args[:procedure_overviews].count - 1)
.spacer{ style: 'border-bottom: 1px solid #CCC; margin: 25px 0 30px;' } .spacer{ style: 'border-bottom: 1px solid #CCC; margin: 25px 0 30px;' }

View file

@ -4,8 +4,8 @@
- if value.class == Array - if value.class == Array
.alert{ class: flash_class(key) } .alert{ class: flash_class(key) }
- value.each do |message| - value.each do |message|
= message = sanitize(message)
%br %br
- else - else
.alert{ class: flash_class(key) } .alert{ class: flash_class(key) }
= value = sanitize(value)

View file

@ -1,8 +1,8 @@
= "<!--[if lt IE 10]>".html_safe <!--[if lt IE 10]>
.center{ style: 'width: 100%; background-color: white; position: fixed; top: 0; left: 0; z-index: 100000;' } .center{ style: 'width: 100%; background-color: white; position: fixed; top: 0; left: 0; z-index: 100000;' }
%h3.text-danger %h3.text-danger
%b %b
Votre version d'Internet Explorer est trop ancienne pour être utilisée sur le service TPS. Version minimum : Internet Explorer 10 Votre version d'Internet Explorer est trop ancienne pour être utilisée sur le service TPS. Version minimum : Internet Explorer 10
= "<![endif]-->".html_safe <![endif]-->

View file

@ -60,4 +60,4 @@
- unless champ.description.empty? - unless champ.description.empty?
%div{ id: "description_champs_#{champ.id}", class: ('help-block' unless champ.type_champ == 'engagement') } %div{ id: "description_champs_#{champ.id}", class: ('help-block' unless champ.type_champ == 'engagement') }
= champ.description_with_links = sanitize(champ.description_with_links, attributes: %w(href target))

View file

@ -13,7 +13,7 @@
%h2#titre-procedure.text-info %h2#titre-procedure.text-info
= @dossier.procedure.libelle = @dossier.procedure.libelle
%p.procedure-description %p.procedure-description
= h @dossier.procedure.description.html_safe = h sanitize(@dossier.procedure.description)
- else - else
#logo_procedure.flag #logo_procedure.flag

View file

@ -20,7 +20,7 @@
%h2.procedure-title %h2.procedure-title
= @dossier.procedure.libelle = @dossier.procedure.libelle
%p.procedure-description %p.procedure-description
= h @dossier.procedure.description.html_safe = h sanitize(@dossier.procedure.description)
.column.auth-form .column.auth-form
= form_for @user, url: user_session_path, html: { class: "form" } do |f| = form_for @user, url: user_session_path, html: { class: "form" } do |f|

View file

@ -6,7 +6,7 @@
= @procedure.libelle = @procedure.libelle
%p %p
= @procedure.description.html_safe = sanitize(@procedure.description)
%br %br
= form_tag(url_for({ controller: :dossiers, action: :create }), class: 'form-inline', method: 'POST') do |f| = form_tag(url_for({ controller: :dossiers, action: :create }), class: 'form-inline', method: 'POST') do |f|