From a356aac56f17278e79372b4e63ff3e160eec7cd2 Mon Sep 17 00:00:00 2001
From:
Date: Mon, 11 Feb 2008 10:49:30 -0500
Subject: [PATCH] added the ability to add safe html tags to input (i.e.,
images) - added new white_list_plugin - changed it so that it is being used
for candidate names in quickvotes
---
app/helpers/application_helper.rb | 1 -
app/views/common/_methodinfo_ssd.rhtml | 2 +-
app/views/common/_pref_tables.rhtml | 8 +-
app/views/common/_result.rhtml | 4 +-
app/views/common/_sortable_vote.rhtml | 2 +-
app/views/quickvote/_approval_table.rhtml | 4 +-
app/views/quickvote/_candidate_list.rhtml | 2 +-
app/views/quickvote/results.rhtml | 2 +-
app/views/quickvote/thanks.rhtml | 2 +-
app/views/voter/details.rhtml | 10 +-
test/functional/quickvote_controller_test.rb | 18 ++-
vendor/plugins/white_list/README | 29 ++++
vendor/plugins/white_list/Rakefile | 22 +++
vendor/plugins/white_list/init.rb | 2 +
.../white_list/lib/white_list_helper.rb | 97 +++++++++++++
.../white_list/test/white_list_test.rb | 132 ++++++++++++++++++
16 files changed, 318 insertions(+), 19 deletions(-)
create mode 100644 vendor/plugins/white_list/README
create mode 100644 vendor/plugins/white_list/Rakefile
create mode 100644 vendor/plugins/white_list/init.rb
create mode 100644 vendor/plugins/white_list/lib/white_list_helper.rb
create mode 100644 vendor/plugins/white_list/test/white_list_test.rb
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 4752f00..22a7940 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1,4 +1,3 @@
# Methods added to this helper will be available to all templates in the application.
module ApplicationHelper
-
end
diff --git a/app/views/common/_methodinfo_ssd.rhtml b/app/views/common/_methodinfo_ssd.rhtml
index 0c8dc95..5ec8b89 100644
--- a/app/views/common/_methodinfo_ssd.rhtml
+++ b/app/views/common/_methodinfo_ssd.rhtml
@@ -3,7 +3,7 @@ preference (from most preferred to least preferred):
<% @election.ssd_result.ranked_candidates.each do |place| %>
-
<%= h(place.collect {|c| @names[c].capitalize}.join( " and " )) %>
+
<%= white_list place.collect {|c| @names[c].capitalize}.join( " and " ) %>
<%= "(TIE)" if place.length > 1 %>
<% end %>
diff --git a/app/views/common/_pref_tables.rhtml b/app/views/common/_pref_tables.rhtml
index 7701985..567873b 100644
--- a/app/views/common/_pref_tables.rhtml
+++ b/app/views/common/_pref_tables.rhtml
@@ -14,13 +14,13 @@ top of the left column.
<% candidates.each do |candidate| -%>
-
<%=h @names[candidate] -%>
+
<%= white_list(@names[candidate]) -%>
<% end -%>
<% candidates.each do |winner| -%>
-
<%=h @names[winner] %>
+
<%= white_list(@names[winner]) %>
<% candidates.each do |loser| -%>
<% if winner == loser -%>
--
@@ -46,10 +46,10 @@ parenthesis.
<% candidates.each do |victor| %>
-
<%=h @names[victor] %>
+
<%= white_list(@names[victor]) %>
<% victories[victor].keys.each do |loser| %>
<% margin = victories[victor][loser]%>
-
<% if result.winner? and result.winners.length == 1 -%>
The winner is:
- <%=h @candidates[result.winner].name.capitalize %>
+ <%= white_list(@candidates[result.winner].name.capitalize) %>
<% elsif result.winner? and result.winners.length > 1 %>
- There was a tie. The winners are: <%=h( result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") )%>
+ There was a tie. The winners are: <%= white_list(result.winners.collect {|w| @candidates[w].to_s.capitalize}.join(", ") )%>
<% else %>
There is no winner using this method.
<% end %>
diff --git a/app/views/common/_sortable_vote.rhtml b/app/views/common/_sortable_vote.rhtml
index 6876966..f026c42 100644
--- a/app/views/common/_sortable_vote.rhtml
+++ b/app/views/common/_sortable_vote.rhtml
@@ -2,7 +2,7 @@
<% @election.approval_result.points.keys.sort.each do |candidate| %>
-
<%=h @names[candidate] %>
+
<%= white_list(@names[candidate]) %>
<% end -%>
@@ -12,4 +12,4 @@
<%= points %>
<% end -%>
-
\ No newline at end of file
+
diff --git a/app/views/quickvote/_candidate_list.rhtml b/app/views/quickvote/_candidate_list.rhtml
index 4ec3db8..9ccb3b1 100644
--- a/app/views/quickvote/_candidate_list.rhtml
+++ b/app/views/quickvote/_candidate_list.rhtml
@@ -2,7 +2,7 @@
<% if flash[:candidate_names] %>
<% for cand in flash[:candidate_names] %>
-
<%=h cand.capitalize %>
+
<%= white_list(cand.capitalize) %>
<% end %>
<% end %>
diff --git a/app/views/quickvote/results.rhtml b/app/views/quickvote/results.rhtml
index 8d8bf5f..78e74e8 100644
--- a/app/views/quickvote/results.rhtml
+++ b/app/views/quickvote/results.rhtml
@@ -23,7 +23,7 @@
<% for candidate in @election.candidates.sort %>
-
<%=h candidate.name.capitalize %>
+
<%= white_list(candidate.name.capitalize) %>
<% end %>
diff --git a/app/views/quickvote/thanks.rhtml b/app/views/quickvote/thanks.rhtml
index bf98ef8..d6ed8e0 100644
--- a/app/views/quickvote/thanks.rhtml
+++ b/app/views/quickvote/thanks.rhtml
@@ -8,7 +8,7 @@ preferences:
<% for rank in @voter.vote.rankings.sort %>
-
<%=h rank.candidate.name.capitalize %>
+
<%= white_list(rank.candidate.name.capitalize) %>
<% end %>
diff --git a/app/views/voter/details.rhtml b/app/views/voter/details.rhtml
index 584c408..cf73f41 100644
--- a/app/views/voter/details.rhtml
+++ b/app/views/voter/details.rhtml
@@ -4,7 +4,7 @@
This page contains information useful for auditing elections and
-verify that votes were tabulated correctly.
+verifying that votes were tabulated correctly.
The following invididuals (in random order) voted in this
election:
@@ -20,15 +20,17 @@ election:
The column marked Verification Token lists tokens that were
given to voters at the time of voting. Voters can check to see that the
vote that corresponds to their token was recorded correctly. The column
-marks "vote" lists the candidates in order of the voter's preference. To
-read these votes, please refer to the key below.
+marked Vote lists the candidates in order of the voter's
+preference. To read these votes, refer to the key below.
+
Verification Token
Vote
-<%- @votes.each do |vote| -%>
+<%- @votes.each_with_index do |vote, i| -%>
+
<%= i + 1 %>
<%= vote.token %>
<%= vote.votestring%>
<%- end -%>
diff --git a/test/functional/quickvote_controller_test.rb b/test/functional/quickvote_controller_test.rb
index 60ddb1b..e116c0d 100644
--- a/test/functional/quickvote_controller_test.rb
+++ b/test/functional/quickvote_controller_test.rb
@@ -115,24 +115,40 @@ class QuickvoteControllerTest < Test::Unit::TestCase
post :confirm, { 'ident' => 'variable', 'rankings-list' => votes.sort_by {rand} }
assert_redirected_to :controller => 'quickvote', :ident => 'variable'
end
+
def test_display_tainted_quickvote
+ # create quickvote with tainted data
test_create_quickvote
qv=QuickVote.ident_to_quickvote('variable')
qv.description=""
- qv.candidate_names = ["