Project

General

Profile

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch

v3 patch against 1.4-stable - Dominic Cleal, 06/17/2014 04:04 PM

View differences:

app/controllers/application_controller.rb
131 131
  end
132 132

  
133 133
  def notice notice
134
    flash[:notice] = notice
134
    flash[:notice] = CGI::escapeHTML(notice)
135 135
  end
136 136

  
137 137
  def error error
138
    flash[:error] = error
138
    flash[:error] = CGI::escapeHTML(error)
139 139
  end
140 140

  
141 141
  def warning warning
142
    flash[:warning] = warning
142
    flash[:warning] = CGI::escapeHTML(warning)
143 143
  end
144 144

  
145 145
  # this method is used with nested resources, where obj_id is passed into the parameters hash.
......
283 283
    hash[:error_msg] = [hash[:error_msg]].flatten
284 284
    hash[:error_msg] = hash[:error_msg].join("<br/>")
285 285
    if hash[:render]
286
      flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty?
286
      flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty?
287 287
      render hash[:render]
288 288
      return
289 289
    elsif hash[:redirect]
app/controllers/hostgroups_controller.rb
84 84
        process_error
85 85
      end
86 86
    rescue Ancestry::AncestryException
87
      flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label }
88
      process_error
87
      process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label } )
89 88
    end
90 89
  end
91 90

  
test/functional/smart_proxies_controller_test.rb
70 70
  def test_refresh_fail
71 71
    proxy = smart_proxies(:one)
72 72
    errors = ActiveModel::Errors.new(Host::Managed.new)
73
    errors.add :base, "Unable to communicate with the proxy: it's down"
73
    errors.add :base, "Unable to communicate with the proxy: it is down"
74 74
    SmartProxy.any_instance.stubs(:errors).returns(errors)
75 75
    SmartProxy.any_instance.stubs(:associate_features).returns(true)
76 76
    post :refresh, {:id => proxy}, set_session_user
77 77
    assert_redirected_to smart_proxies_url
78
    assert_equal "Unable to communicate with the proxy: it's down", flash[:error]
78
    assert_equal "Unable to communicate with the proxy: it is down", flash[:error]
79 79
  end
80 80

  
81 81
end
82
-