raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-02-08 22:56:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Don't use :html_safe with payment method name in checkout options in case it contains something malicious

Browse Source 
Co-authored-by: Maikel <maikel@email.org.au>
This commit is contained in:
Cillian O'Ruanaidh
2022-06-24 16:20:10 +01:00
committed by Filipe
parent 747c88fb35
commit 564e4d802c
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
app/views/admin/order_cycles/checkout_options.html.haml
View File

@@ -61,7 +61,7 @@
= input.check_box
= input.label
%p
&mdash
&mdash;
%em>
= shared_shipping_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")
%td
@@ -71,7 +71,9 @@
%li
= shared_payment_method.name
%p
= "&mdash;<em>#{shared_payment_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")}</em>".html_safe
&mdash;
%em
= shared_payment_method.distributors.where(id: @order_cycle.distributor_ids).map(&:name).join(", ")
%div#save-bar
%div.container