references/openproject
1
0
Fork 0
mirror of https://github.com/opf/openproject.git synced 2026-06-14 03:30:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure csp_onclick escapes selector

Browse Source
This commit is contained in:
Alexander Brandon Coles
2025-11-05 12:53:16 +00:00
parent 91d2391c38
commit 7cad4d295d
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/helpers/removed_js_helpers_helper.rb
+1 -1
View File
@@ -46,7 +46,7 @@ module RemovedJsHelpersHelper
def csp_onclick(callback_str, selector, prevent_default: true)
content_for(:additional_js_dom_ready) do
raw <<~JS # rubocop:disable Rails/OutputSafety
document.querySelector('#{selector}')?.addEventListener('click', function(event) {
document.querySelector('#{j(selector)}')?.addEventListener('click', function(event) {
#{callback_str&.delete_suffix(';')};#{"\n event.preventDefault();" if prevent_default}
});
JS
spec/helpers/removed_js_helpers_helper_spec.rb
+11
View File
@@ -69,5 +69,16 @@ RSpec.describe RemovedJsHelpersHelper do
});
JS
end
it "escapes selector" do
helper.csp_onclick("console.log('hello');", "[data-attr^='foo']")
expect(helper.content_for(:additional_js_dom_ready)).to eq(<<~JS)
document.querySelector('[data-attr^=\\'foo\\']')?.addEventListener('click', function(event) {
console.log('hello');
event.preventDefault();
});
JS
end
end
end