Project

General

Profile

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch

v3 patch against develop - Dominic Cleal, 06/17/2014 04:03 PM

View differences:

app/controllers/application_controller.rb
165 165
  end
166 166

  
167 167
  def notice notice
168
    flash[:notice] = notice
168
    flash[:notice] = CGI::escapeHTML(notice)
169 169
  end
170 170

  
171 171
  def error error
172
    flash[:error] = error
172
    flash[:error] = CGI::escapeHTML(error)
173 173
  end
174 174

  
175 175
  def warning warning
176
    flash[:warning] = warning
176
    flash[:warning] = CGI::escapeHTML(warning)
177 177
  end
178 178

  
179 179
  # this method is used with nested resources, where obj_id is passed into the parameters hash.
......
283 283
    hash[:error_msg] = [hash[:error_msg]].flatten
284 284
    hash[:error_msg] = hash[:error_msg].join("<br/>")
285 285
    if hash[:render]
286
      flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty?
286
      flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty?
287 287
      render hash[:render]
288 288
      return
289 289
    elsif hash[:redirect]
app/controllers/concerns/foreman/controller/taxonomies_controller.rb
93 93
      process_error
94 94
    end
95 95
  rescue Ancestry::AncestryException
96
    flash[:error] = _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name }
97
    process_error
96
    process_error(:error_msg => _('Cannot delete %{current} because it has nested %{sti_name}.') % { :current => @taxonomy.title, :sti_name => @taxonomy.sti_name })
98 97
  end
99 98

  
100 99
  def select
app/controllers/hostgroups_controller.rb
78 78
        process_error
79 79
      end
80 80
    rescue Ancestry::AncestryException
81
      flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title }
82
      process_error
81
      process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.title } )
83 82
    end
84 83
  end
85 84

  
app/controllers/roles_controller.rb
41 41
  def clone
42 42
    @cloned_role      = true
43 43
    @original_role_id = @role.id
44
    flash[:notice] = _("Role cloned from role %{old_name}") %
45
                      { :old_name => @role.name }
44
    notice(_("Role cloned from role %{old_name}") % { :old_name => @role.name })
46 45
    @role = Role.new
47 46
    render :action => :new
48 47
  end
test/functional/smart_proxies_controller_test.rb
70 70
  def test_refresh_fail
71 71
    proxy = smart_proxies(:one)
72 72
    errors = ActiveModel::Errors.new(Host::Managed.new)
73
    errors.add :base, "Unable to communicate with the proxy: it's down"
73
    errors.add :base, "Unable to communicate with the proxy: it is down"
74 74
    SmartProxy.any_instance.stubs(:errors).returns(errors)
75 75
    SmartProxy.any_instance.stubs(:associate_features).returns(true)
76 76
    post :refresh, {:id => proxy}, set_session_user
77 77
    assert_redirected_to smart_proxies_url
78
    assert_equal "Unable to communicate with the proxy: it's down", flash[:error]
78
    assert_equal "Unable to communicate with the proxy: it is down", flash[:error]
79 79
  end
80 80

  
81 81
  test "should search by name" do
82
-