Project

General

Profile

Download (3.38 KB)

0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch

v3 patch against 1.4-stable - Dominic Cleal, 06/17/2014 04:04 PM

View differences:

app/controllers/application_controller.rb
131 131 
  end
132 132 

  		




  133
  133
  
    
  def notice notice

  		




  134
  
  
    
    flash[:notice] = notice

  		




  
  134
  
    
    flash[:notice] = CGI::escapeHTML(notice)

  		




  135
  135
  
    
  end

  		




  136
  136
  
    

  		




  137
  137
  
    
  def error error

  		




  138
  
  
    
    flash[:error] = error

  		




  
  138
  
    
    flash[:error] = CGI::escapeHTML(error)

  		




  139
  139
  
    
  end

  		




  140
  140
  
    

  		




  141
  141
  
    
  def warning warning

  		




  142
  
  
    
    flash[:warning] = warning

  		




  
  142
  
    
    flash[:warning] = CGI::escapeHTML(warning)

  		




  143
  143
  
    
  end

  		




  144
  144
  
    

  		




  145
  145
  
    
  # this method is used with nested resources, where obj_id is passed into the parameters hash.

  		




  ......




  283
  283
  
    
    hash[:error_msg] = [hash[:error_msg]].flatten

  		




  284
  284
  
    
    hash[:error_msg] = hash[:error_msg].join("<br/>")

  		




  285
  285
  
    
    if hash[:render]

  		




  286
  
  
    
      flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty?

  		




  
  286
  
    
      flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty?

  		




  287
  287
  
    
      render hash[:render]

  		




  288
  288
  
    
      return

  		




  289
  289
  
    
    elsif hash[:redirect]

  		












  

    
      app/controllers/hostgroups_controller.rb
    
  





  84
  84
  
    
        process_error

  		




  85
  85
  
    
      end

  		




  86
  86
  
    
    rescue Ancestry::AncestryException

  		




  87
  
  
    
      flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label }

  		




  88
  
  
    
      process_error

  		




  
  87
  
    
      process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label } )

  		




  89
  88
  
    
    end

  		




  90
  89
  
    
  end

  		




  91
  90
  
    

  		












  

    
      test/functional/smart_proxies_controller_test.rb
    
  





  70
  70
  
    
  def test_refresh_fail

  		




  71
  71
  
    
    proxy = smart_proxies(:one)

  		




  72
  72
  
    
    errors = ActiveModel::Errors.new(Host::Managed.new)

  		




  73
  
  
    
    errors.add :base, "Unable to communicate with the proxy: it's down"

  		




  
  73
  
    
    errors.add :base, "Unable to communicate with the proxy: it is down"

  		




  74
  74
  
    
    SmartProxy.any_instance.stubs(:errors).returns(errors)

  		




  75
  75
  
    
    SmartProxy.any_instance.stubs(:associate_features).returns(true)

  		




  76
  76
  
    
    post :refresh, {:id => proxy}, set_session_user

  		




  77
  77
  
    
    assert_redirected_to smart_proxies_url

  		




  78
  
  
    
    assert_equal "Unable to communicate with the proxy: it's down", flash[:error]

  		




  
  78
  
    
    assert_equal "Unable to communicate with the proxy: it is down", flash[:error]

  		




  79
  79
  
    
  end

  		




  80
  80
  
    

  		




  81
  81
  
    
end

  		




  82
  
  
    
-