From 7306d379a5d7ae6ff7981a79449eec310aa8bda2 Mon Sep 17 00:00:00 2001 From: Maikel Linke Date: Thu, 13 Feb 2020 16:14:31 +1100 Subject: [PATCH] Display payment method literally Don't allow for HTML and potentially bad scripts. But this also prevents accidental display errors. If someone wrote, "We only take ", it would mess with the site. --- app/views/spree/shared/_order_details.html.haml | 4 ++-- spec/views/spree/shared/_order_details.html.haml_spec.rb | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/views/spree/shared/_order_details.html.haml b/app/views/spree/shared/_order_details.html.haml index 667bf8b306..5020566c58 100644 --- a/app/views/spree/shared/_order_details.html.haml +++ b/app/views/spree/shared/_order_details.html.haml @@ -13,9 +13,9 @@ .pad .text-big = t :order_payment - %strong= order.payments.first.andand.payment_method.andand.name.andand.html_safe + %strong= order.payments.first.andand.payment_method.andand.name %p.text-small.text-skinny.pre-line - %em= order.payments.first.andand.payment_method.andand.description.andand.html_safe + %em= order.payments.first.andand.payment_method.andand.description .order-summary.text-small %strong diff --git a/spec/views/spree/shared/_order_details.html.haml_spec.rb b/spec/views/spree/shared/_order_details.html.haml_spec.rb index 2c0da407e4..e702b64f20 100644 --- a/spec/views/spree/shared/_order_details.html.haml_spec.rb +++ b/spec/views/spree/shared/_order_details.html.haml_spec.rb @@ -21,4 +21,12 @@ describe "spree/shared/_order_details.html.haml" do expect(rendered).to have_content("Paying via: Bartering") end + + it "displays payment methods safely" do + order.payments.first.payment_method.name = "Barter→ing" + + render + + expect(rendered).to have_content("Paying via: Barter→ing") + end end