raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-02-05 22:26:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Display payment method literally

Browse Source 
Don't allow for HTML and potentially bad scripts. But this also prevents
accidental display errors. If someone wrote, "We only take <cash>", it
would mess with the site.
This commit is contained in:
Maikel Linke
2020-02-13 16:14:31 +11:00
parent e15c61d862
commit 7306d379a5
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/views/spree/shared/_order_details.html.haml
View File

@@ -13,9 +13,9 @@
.pad
.text-big
= t :order_payment
%strong= order.payments.first.andand.payment_method.andand.name.andand.html_safe
%strong= order.payments.first.andand.payment_method.andand.name
%p.text-small.text-skinny.pre-line
%em= order.payments.first.andand.payment_method.andand.description.andand.html_safe
%em= order.payments.first.andand.payment_method.andand.description
.order-summary.text-small
%strong

8
spec/views/spree/shared/_order_details.html.haml_spec.rb
View File

@@ -21,4 +21,12 @@ describe "spree/shared/_order_details.html.haml" do
expect(rendered).to have_content("Paying via: Bartering")
end
it "displays payment methods safely" do
order.payments.first.payment_method.name = "Bar<script>evil</script>ter&rarr;ing"
render
expect(rendered).to have_content("Paying via: Bar<script>evil</script>ter&rarr;ing")
end
end