diff options
| -rw-r--r-- | app/views/taglibs/views.dryml | 2 | ||||
| -rw-r--r-- | config/initializers/email_address.rb | 9 | ||||
| -rw-r--r-- | spec/models/user_spec.rb | 5 |
3 files changed, 15 insertions, 1 deletions
diff --git a/app/views/taglibs/views.dryml b/app/views/taglibs/views.dryml index c4bcd89..c5be181 100644 --- a/app/views/taglibs/views.dryml +++ b/app/views/taglibs/views.dryml @@ -10,7 +10,7 @@ <%= this.content.to_html %> <ul> <repeat:options> - <li><%=this.content%></li> + <li><%= h this.content%></li> </repeat> </ul> </def> diff --git a/config/initializers/email_address.rb b/config/initializers/email_address.rb new file mode 100644 index 0000000..02e48cb --- /dev/null +++ b/config/initializers/email_address.rb @@ -0,0 +1,9 @@ +require 'hobo_fields/email_address' + +class HoboFields::EmailAddress + def to_html_with_escape(xmldoctype = true) + ERB::Util.h to_html_without_escape xmldoctype + end + + alias_method_chain :to_html, :escape +end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index e6724d8..7552a1e 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -8,6 +8,11 @@ describe User do new_user.role.should == :recruit end + it "should escape emails" do + u = User.new :email_address => "<script>alert('foo')<script>@foo.com" + u.email_address.to_html.should == "<script>alert('foo')<script> at foo dot com" + end + it { should allow_value(:mentor).for(:role) } it { should allow_value(:recruiter).for(:role) } |