raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-03-01 02:03:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Disable most OutputSafety warnings

Browse Source 
These all seem to require html_safe/raw, so we'll permit it.
Some of the spree code is a bit strange and could probably be improved, but I think it's ok for now.
This commit is contained in:
David Cook
2023-12-13 14:18:46 +11:00
parent dc9fd669a2
commit 0e95b3211b
10 changed files with 18 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.rubocop_todo.yml
View File

@@ -523,16 +523,7 @@ Rails/NegateInclude:
# Offense count: 16
Rails/OutputSafety:
Exclude:
- 'app/helpers/angular_form_helper.rb'
- 'app/helpers/application_helper.rb'
- 'app/helpers/reports_helper.rb'
- 'app/helpers/spree/admin/base_helper.rb'
- 'app/helpers/spree/admin/navigation_helper.rb'
- 'app/helpers/spree/admin/orders_helper.rb'
- 'app/helpers/spree/admin/zones_helper.rb'
- 'lib/reporting/queries/query_builder.rb'
- 'lib/reporting/queries/query_interface.rb'
- 'lib/spree/money.rb'
# Offense count: 31
# This cop supports unsafe autocorrection (--autocorrect-all).

2
app/helpers/angular_form_helper.rb
View File

@@ -9,7 +9,7 @@ module AngularFormHelper
text, value = option_text_and_value(element).map(&:to_s)
%(<option value="#{ERB::Util.html_escape(value)}"\
#{html_attributes}>#{ERB::Util.html_escape(text)}</option>)
end.join("\n").html_safe
end.join("\n").html_safe # rubocop:disable Rails/OutputSafety
end
def ng_options_from_collection_for_select(collection, value_method, text_method, angular_field)

4
app/helpers/application_helper.rb
View File

@@ -10,7 +10,7 @@ module ApplicationHelper
return "" unless obj && obj.errors[method].present?
errors = obj.errors[method].map { |err| h(err) }.join('<br />').html_safe
errors = obj.errors[method].map { |err| h(err) }.join('<br />').html_safe # rubocop:disable Rails/OutputSafety
if options[:standalone]
content_tag(
@@ -36,7 +36,7 @@ module ApplicationHelper
hreflang: locale.to_s.gsub("_", "-").downcase,
href: "#{request.protocol}#{request.host_with_port}/locales/#{locale}"
)
end.join("\n").html_safe
end.join("\n").html_safe # rubocop:disable Rails/OutputSafety
end
def ng_form_for(name, *args, &)

2
app/helpers/reports_helper.rb
View File

@@ -5,7 +5,9 @@ module ReportsHelper
order_cycles.map do |oc|
orders_open_at = oc.orders_open_at&.to_fs(:short) || 'NA'
orders_close_at = oc.orders_close_at&.to_fs(:short) || 'NA'
# rubocop:disable Rails/OutputSafety
["#{oc.name} &nbsp; (#{orders_open_at} - #{orders_close_at})".html_safe, oc.id]
# rubocop:enable Rails/OutputSafety
end
end

4
app/helpers/spree/admin/navigation_helper.rb
View File

@@ -98,7 +98,9 @@ module Spree
options[:class] = (options[:class].to_s + " icon_link with-tip #{icon_name}").strip
options[:class] += ' no-text' if options[:no_text]
options[:title] = text if options[:no_text]
# rubocop:disable Rails/OutputSafety
text = options[:no_text] ? '' : raw("<span class='text'>#{text}</span>")
# rubocop:enable Rails/OutputSafety
options.delete(:no_text)
link_to(text, url, options)
end
@@ -138,7 +140,7 @@ module Spree
def text_for_button_link(text, _html_options)
s = ''
s << text
raw(s)
raw(s) # rubocop:disable Rails/OutputSafety
end
def configurations_sidebar_menu_item(link_text, url, options = {})

2
app/helpers/spree/admin/orders_helper.rb
View File

@@ -7,7 +7,7 @@ module Spree
links = []
links << cancel_event_link if @order.can_cancel?
links << resume_event_link if @order.can_resume?
links.join('&nbsp;').html_safe
links.join('&nbsp;').html_safe # rubocop:disable Rails/OutputSafety
end
def line_item_shipment_price(line_item, quantity)

2
app/helpers/spree/admin/zones_helper.rb
View File

@@ -31,7 +31,7 @@ module Spree
out = ''
out << fields.hidden_field(:_destroy) unless fields.object.new_record?
out << (link_to icon('icon-remove'), "#", class: 'remove')
out.html_safe
out.html_safe # rubocop:disable Rails/OutputSafety
end
end
end

7
lib/reporting/queries/query_builder.rb
View File

@@ -11,7 +11,7 @@ module Reporting
def initialize(model, grouping_fields = proc { [] })
@grouping_fields = instance_exec(&grouping_fields)
super model.arel_table
super(model.arel_table)
end
def selecting(lambda)
@@ -68,7 +68,9 @@ module Reporting
options_text = variant_table[:unit_presentation]
unit_to_display = coalesce(nullify_empty_strings(display_as), options_text)
# rubocop:disable Rails/OutputSafety
combined_description = sql_concat(display_name, raw("' ('"), unit_to_display, raw("')'"))
# rubocop:enable Rails/OutputSafety
Case.new.
when(nullify_empty_strings(display_name).eq(nil)).then(unit_to_display).
@@ -79,7 +81,8 @@ module Reporting
private
def default_mask_rule
line_item_table[:order_id].in(raw("#{managed_orders_alias.name}.id")).
id = raw("#{managed_orders_alias.name}.id") # rubocop:disable Rails/OutputSafety
line_item_table[:order_id].in(id).
or(distributor_alias[:show_customer_names_to_suppliers].eq(true))
end

2
lib/reporting/queries/query_interface.rb
View File

@@ -86,7 +86,7 @@ module Reporting
end
def empty_string
raw("''")
raw("''") # rubocop:disable Rails/OutputSafety
end
def sql_concat(*args)

4
lib/spree/money.rb
View File

@@ -9,7 +9,7 @@ module Spree
delegate :cents, to: :money
def initialize(amount, options = {})
@money = ::Monetize.parse([amount, (options[:currency] || Spree::Config[:currency])].join)
@money = ::Monetize.parse([amount, options[:currency] || Spree::Config[:currency]].join)
if options.key?(:symbol_position)
options[:format] = position_to_format(options.delete(:symbol_position))
@@ -29,7 +29,7 @@ module Spree
def to_html(options = { html_wrap: true })
"<span style='white-space: nowrap;'>#{@money.format(@options.merge(options))}</span>"
.html_safe
.html_safe # rubocop:disable Rails/OutputSafety
end
def format(options = {})