From 0e95b3211b76872d4d1095e2557f50fa207e235b Mon Sep 17 00:00:00 2001 From: David Cook Date: Wed, 13 Dec 2023 14:18:46 +1100 Subject: [PATCH] Disable most OutputSafety warnings These all seem to require html_safe/raw, so we'll permit it. Some of the spree code is a bit strange and could probably be improved, but I think it's ok for now. --- .rubocop_todo.yml | 9 --------- app/helpers/angular_form_helper.rb | 2 +- app/helpers/application_helper.rb | 4 ++-- app/helpers/reports_helper.rb | 2 ++ app/helpers/spree/admin/navigation_helper.rb | 4 +++- app/helpers/spree/admin/orders_helper.rb | 2 +- app/helpers/spree/admin/zones_helper.rb | 2 +- lib/reporting/queries/query_builder.rb | 7 +++++-- lib/reporting/queries/query_interface.rb | 2 +- lib/spree/money.rb | 4 ++-- 10 files changed, 18 insertions(+), 20 deletions(-) diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index aa12b8a9a5..460e63a892 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -523,16 +523,7 @@ Rails/NegateInclude: # Offense count: 16 Rails/OutputSafety: Exclude: - - 'app/helpers/angular_form_helper.rb' - - 'app/helpers/application_helper.rb' - - 'app/helpers/reports_helper.rb' - 'app/helpers/spree/admin/base_helper.rb' - - 'app/helpers/spree/admin/navigation_helper.rb' - - 'app/helpers/spree/admin/orders_helper.rb' - - 'app/helpers/spree/admin/zones_helper.rb' - - 'lib/reporting/queries/query_builder.rb' - - 'lib/reporting/queries/query_interface.rb' - - 'lib/spree/money.rb' # Offense count: 31 # This cop supports unsafe autocorrection (--autocorrect-all). diff --git a/app/helpers/angular_form_helper.rb b/app/helpers/angular_form_helper.rb index 3b1233302e..a9b03e9608 100644 --- a/app/helpers/angular_form_helper.rb +++ b/app/helpers/angular_form_helper.rb @@ -9,7 +9,7 @@ module AngularFormHelper text, value = option_text_and_value(element).map(&:to_s) %() - end.join("\n").html_safe + end.join("\n").html_safe # rubocop:disable Rails/OutputSafety end def ng_options_from_collection_for_select(collection, value_method, text_method, angular_field) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 223a4c8f41..2f470529b2 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -10,7 +10,7 @@ module ApplicationHelper return "" unless obj && obj.errors[method].present? - errors = obj.errors[method].map { |err| h(err) }.join('
').html_safe + errors = obj.errors[method].map { |err| h(err) }.join('
').html_safe # rubocop:disable Rails/OutputSafety if options[:standalone] content_tag( @@ -36,7 +36,7 @@ module ApplicationHelper hreflang: locale.to_s.gsub("_", "-").downcase, href: "#{request.protocol}#{request.host_with_port}/locales/#{locale}" ) - end.join("\n").html_safe + end.join("\n").html_safe # rubocop:disable Rails/OutputSafety end def ng_form_for(name, *args, &) diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb index 2809ac459a..1f9bf91ed7 100644 --- a/app/helpers/reports_helper.rb +++ b/app/helpers/reports_helper.rb @@ -5,7 +5,9 @@ module ReportsHelper order_cycles.map do |oc| orders_open_at = oc.orders_open_at&.to_fs(:short) || 'NA' orders_close_at = oc.orders_close_at&.to_fs(:short) || 'NA' + # rubocop:disable Rails/OutputSafety ["#{oc.name}   (#{orders_open_at} - #{orders_close_at})".html_safe, oc.id] + # rubocop:enable Rails/OutputSafety end end diff --git a/app/helpers/spree/admin/navigation_helper.rb b/app/helpers/spree/admin/navigation_helper.rb index 5b71c2780a..dcdf00a2e7 100644 --- a/app/helpers/spree/admin/navigation_helper.rb +++ b/app/helpers/spree/admin/navigation_helper.rb @@ -98,7 +98,9 @@ module Spree options[:class] = (options[:class].to_s + " icon_link with-tip #{icon_name}").strip options[:class] += ' no-text' if options[:no_text] options[:title] = text if options[:no_text] + # rubocop:disable Rails/OutputSafety text = options[:no_text] ? '' : raw("#{text}") + # rubocop:enable Rails/OutputSafety options.delete(:no_text) link_to(text, url, options) end @@ -138,7 +140,7 @@ module Spree def text_for_button_link(text, _html_options) s = '' s << text - raw(s) + raw(s) # rubocop:disable Rails/OutputSafety end def configurations_sidebar_menu_item(link_text, url, options = {}) diff --git a/app/helpers/spree/admin/orders_helper.rb b/app/helpers/spree/admin/orders_helper.rb index 81f9066f90..700b6bdcb4 100644 --- a/app/helpers/spree/admin/orders_helper.rb +++ b/app/helpers/spree/admin/orders_helper.rb @@ -7,7 +7,7 @@ module Spree links = [] links << cancel_event_link if @order.can_cancel? links << resume_event_link if @order.can_resume? - links.join(' ').html_safe + links.join(' ').html_safe # rubocop:disable Rails/OutputSafety end def line_item_shipment_price(line_item, quantity) diff --git a/app/helpers/spree/admin/zones_helper.rb b/app/helpers/spree/admin/zones_helper.rb index 57a1a639c1..1ad0927b9f 100644 --- a/app/helpers/spree/admin/zones_helper.rb +++ b/app/helpers/spree/admin/zones_helper.rb @@ -31,7 +31,7 @@ module Spree out = '' out << fields.hidden_field(:_destroy) unless fields.object.new_record? out << (link_to icon('icon-remove'), "#", class: 'remove') - out.html_safe + out.html_safe # rubocop:disable Rails/OutputSafety end end end diff --git a/lib/reporting/queries/query_builder.rb b/lib/reporting/queries/query_builder.rb index 0f20f77c19..02e908ab2d 100644 --- a/lib/reporting/queries/query_builder.rb +++ b/lib/reporting/queries/query_builder.rb @@ -11,7 +11,7 @@ module Reporting def initialize(model, grouping_fields = proc { [] }) @grouping_fields = instance_exec(&grouping_fields) - super model.arel_table + super(model.arel_table) end def selecting(lambda) @@ -68,7 +68,9 @@ module Reporting options_text = variant_table[:unit_presentation] unit_to_display = coalesce(nullify_empty_strings(display_as), options_text) + # rubocop:disable Rails/OutputSafety combined_description = sql_concat(display_name, raw("' ('"), unit_to_display, raw("')'")) + # rubocop:enable Rails/OutputSafety Case.new. when(nullify_empty_strings(display_name).eq(nil)).then(unit_to_display). @@ -79,7 +81,8 @@ module Reporting private def default_mask_rule - line_item_table[:order_id].in(raw("#{managed_orders_alias.name}.id")). + id = raw("#{managed_orders_alias.name}.id") # rubocop:disable Rails/OutputSafety + line_item_table[:order_id].in(id). or(distributor_alias[:show_customer_names_to_suppliers].eq(true)) end diff --git a/lib/reporting/queries/query_interface.rb b/lib/reporting/queries/query_interface.rb index 54d818cc9c..c6e7b8a041 100644 --- a/lib/reporting/queries/query_interface.rb +++ b/lib/reporting/queries/query_interface.rb @@ -86,7 +86,7 @@ module Reporting end def empty_string - raw("''") + raw("''") # rubocop:disable Rails/OutputSafety end def sql_concat(*args) diff --git a/lib/spree/money.rb b/lib/spree/money.rb index 968f349b00..4a11d33497 100644 --- a/lib/spree/money.rb +++ b/lib/spree/money.rb @@ -9,7 +9,7 @@ module Spree delegate :cents, to: :money def initialize(amount, options = {}) - @money = ::Monetize.parse([amount, (options[:currency] || Spree::Config[:currency])].join) + @money = ::Monetize.parse([amount, options[:currency] || Spree::Config[:currency]].join) if options.key?(:symbol_position) options[:format] = position_to_format(options.delete(:symbol_position)) @@ -29,7 +29,7 @@ module Spree def to_html(options = { html_wrap: true }) "#{@money.format(@options.merge(options))}" - .html_safe + .html_safe # rubocop:disable Rails/OutputSafety end def format(options = {})