Refactor appeal partial to avoid brakeman XSS warning (#25880)
This commit is contained in:
		
							parent
							
								
									bcd0171e5e
								
							
						
					
					
						commit
						9f218c9924
					
				|  | @ -0,0 +1,19 @@ | |||
| # frozen_string_literal: true | ||||
| 
 | ||||
| module Admin | ||||
|   module DisputesHelper | ||||
|     def strike_action_label(appeal) | ||||
|       t(key_for_action(appeal), | ||||
|         scope: 'admin.strikes.actions', | ||||
|         name: content_tag(:span, appeal.strike.account.username, class: 'username'), | ||||
|         target: content_tag(:span, appeal.account.username, class: 'target')) | ||||
|         .html_safe | ||||
|     end | ||||
| 
 | ||||
|     private | ||||
| 
 | ||||
|     def key_for_action(appeal) | ||||
|       AccountWarning.actions.slice(appeal.strike.action).keys.first | ||||
|     end | ||||
|   end | ||||
| end | ||||
|  | @ -4,7 +4,7 @@ | |||
|       = image_tag appeal.account.avatar.url(:original), alt: '', width: 40, height: 40, class: 'avatar' | ||||
|     .log-entry__content | ||||
|       .log-entry__title | ||||
|         = t(appeal.strike.action, scope: 'admin.strikes.actions', name: content_tag(:span, appeal.strike.account.username, class: 'username'), target: content_tag(:span, appeal.account.username, class: 'target')).html_safe | ||||
|         = strike_action_label(appeal) | ||||
|       .log-entry__timestamp | ||||
|         %time.formatted{ datetime: appeal.strike.created_at.iso8601 } | ||||
|           = l(appeal.strike.created_at) | ||||
|  |  | |||
|  | @ -1,38 +1,5 @@ | |||
| { | ||||
|   "ignored_warnings": [ | ||||
|     { | ||||
|       "warning_type": "Cross-Site Scripting", | ||||
|       "warning_code": 2, | ||||
|       "fingerprint": "71cf98c8235b5cfa9946b5db8fdc1a2f3a862566abb34e4542be6f3acae78233", | ||||
|       "check_name": "CrossSiteScripting", | ||||
|       "message": "Unescaped model attribute", | ||||
|       "file": "app/views/admin/disputes/appeals/_appeal.html.haml", | ||||
|       "line": 7, | ||||
|       "link": "https://brakemanscanner.org/docs/warning_types/cross_site_scripting", | ||||
|       "code": "t((Unresolved Model).new.strike.action, :scope => \"admin.strikes.actions\", :name => content_tag(:span, (Unresolved Model).new.strike.account.username, :class => \"username\"), :target => content_tag(:span, (Unresolved Model).new.account.username, :class => \"target\"))", | ||||
|       "render_path": [ | ||||
|         { | ||||
|           "type": "template", | ||||
|           "name": "admin/disputes/appeals/index", | ||||
|           "line": 20, | ||||
|           "file": "app/views/admin/disputes/appeals/index.html.haml", | ||||
|           "rendered": { | ||||
|             "name": "admin/disputes/appeals/_appeal", | ||||
|             "file": "app/views/admin/disputes/appeals/_appeal.html.haml" | ||||
|           } | ||||
|         } | ||||
|       ], | ||||
|       "location": { | ||||
|         "type": "template", | ||||
|         "template": "admin/disputes/appeals/_appeal" | ||||
|       }, | ||||
|       "user_input": "(Unresolved Model).new.strike", | ||||
|       "confidence": "Weak", | ||||
|       "cwe_id": [ | ||||
|         79 | ||||
|       ], | ||||
|       "note": "" | ||||
|     }, | ||||
|     { | ||||
|       "warning_type": "Cross-Site Scripting", | ||||
|       "warning_code": 4, | ||||
|  |  | |||
|  | @ -18,10 +18,14 @@ RSpec.describe Admin::Disputes::AppealsController do | |||
|   describe 'GET #index' do | ||||
|     let(:current_user) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')) } | ||||
| 
 | ||||
|     it 'lists appeals' do | ||||
|     before { appeal } | ||||
| 
 | ||||
|     it 'returns a page that lists details of appeals' do | ||||
|       get :index | ||||
| 
 | ||||
|       expect(response).to have_http_status(200) | ||||
|       expect(response).to have_http_status(:success) | ||||
|       expect(response.body).to include("<span class=\"username\">#{strike.account.username}</span>") | ||||
|       expect(response.body).to include("<span class=\"target\">#{appeal.account.username}</span>") | ||||
|     end | ||||
|   end | ||||
| 
 | ||||
|  |  | |||
|  | @ -0,0 +1,21 @@ | |||
| # frozen_string_literal: true | ||||
| 
 | ||||
| require 'rails_helper' | ||||
| 
 | ||||
| describe Admin::DisputesHelper do | ||||
|   describe 'strike_action_label' do | ||||
|     it 'returns html describing the appeal' do | ||||
|       adam = Account.new(username: 'Adam') | ||||
|       becky = Account.new(username: 'Becky') | ||||
|       strike = AccountWarning.new(account: adam, action: :suspend) | ||||
|       appeal = Appeal.new(strike: strike, account: becky) | ||||
| 
 | ||||
|       expected = <<~OUTPUT.strip | ||||
|         <span class="username">Adam</span> suspended <span class="target">Becky</span>'s account | ||||
|       OUTPUT | ||||
|       result = helper.strike_action_label(appeal) | ||||
| 
 | ||||
|       expect(result).to eq(expected) | ||||
|     end | ||||
|   end | ||||
| end | ||||
		Loading…
	
		Reference in New Issue