Skip to content

HTML encode display_name output.#5284

Merged
varyonic merged 2 commits intoactiveadmin:masterfrom
markstory:display-name
Dec 15, 2017
Merged

HTML encode display_name output.#5284
varyonic merged 2 commits intoactiveadmin:masterfrom
markstory:display-name

Conversation

@markstory
Copy link
Contributor

@markstory markstory commented Dec 11, 2017

The display_name helper can end up invoking methods on ActiveRecord models or other arbitrary ruby objects that can contain unsafe user supplied data resulting in XSS holes.

Refs #5198
Refs #5265
Refs #5275

@markstory
HTML encode display_name output.
59adf22 
The display_name helper can end up invoking methods on ActiveRecord
models or other arbitrary ruby objects that can contain unsafe user
supplied data resulting in XSS holes.

Refs #5198
Refs #5265
Refs #5275
@markstory
Add module needed to get tests passing.
4f33fb0
@codecov
Copy link

codecov bot commented Dec 12, 2017
edited
Loading

Codecov Report

Merging #5284 into master will decrease coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #5284      +/-   ##
==========================================
- Coverage   98.28%   98.27%   -0.01%     
==========================================
  Files         292      292              
  Lines       10893    10900       +7     
==========================================
+ Hits        10706    10712       +6     
- Misses        187      188       +1
Impacted Files Coverage Δ
lib/active_admin/view_helpers/display_helper.rb 98% <100%> (ø) ⬆️
spec/unit/view_helpers/breadcrumbs_spec.rb 100% <100%> (ø) ⬆️
spec/unit/view_helpers/display_helper_spec.rb 100% <100%> (ø) ⬆️
lib/active_admin/views/pages/index.rb 98.85% <0%> (-1.15%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6a0f248...4f33fb0. Read the comment docs.

deivid-rodriguez
deivid-rodriguez approved these changes Dec 12, 2017
View reviewed changes
Copy link
Member

@deivid-rodriguez deivid-rodriguez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great to me!

@varyonic varyonic merged commit b46f4d4 into activeadmin:master Dec 15, 2017
@markstory markstory deleted the display-name branch December 15, 2017 17:11
@markstory
Copy link
Contributor Author

markstory commented Dec 15, 2017

Thanks!

@deivid-rodriguez deivid-rodriguez mentioned this pull request Dec 15, 2017
Closed
varyonic pushed a commit that referenced this pull request Dec 15, 2017
@markstory @varyonic
Backport #5284: Sanitize display_name.
ad38e5d 
The display_name helper can end up invoking methods on ActiveRecord
models or other arbitrary ruby objects that can contain unsafe user
supplied data resulting in XSS holes.

Refs #5198
Refs #5265
Refs #5275
@deivid-rodriguez deivid-rodriguez mentioned this pull request Jul 10, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deivid-rodriguez deivid-rodriguez deivid-rodriguez approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markstory @deivid-rodriguez @varyonic