ylqjgm
/
canvas-lms
mirror of https://github.com/instructure/canvas-lms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upgrade rails to 2.3.16 

The html_escape changes were backported from rails 3 in 2.3.16, so I've
removed our modified version.

Change-Id: I0067b9d84e49459dd7d46ba53a1d597d2e0efb67
Reviewed-on: https://gerrit.instructure.com/17379
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Cody Cutrer <cody@instructure.com>
Reviewed-by: Cameron Matheson <cameron@instructure.com>
QA-Review: Clare Hetherington <clare@instructure.com>
This commit is contained in:
Brian Palmer 2013-02-01 10:53:36 -07:00
parent d7bac4a190
commit 44b76489b5
6 changed files with 6 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Gemfile
View File

@ -2,7 +2,7 @@ source :rubygems
ONE_NINE = RUBY_VERSION >= "1.9." ONE_NINE = RUBY_VERSION >= "1.9."
gem 'rails', '2.3.15' gem 'rails', '2.3.16'
gem 'authlogic', '2.1.3' gem 'authlogic', '2.1.3'
#gem 'aws-s3', '0.6.2', :require => 'aws/s3' #gem 'aws-s3', '0.6.2', :require => 'aws/s3'
# use custom gem until pull request at https://github.com/marcel/aws-s3/pull/41 # use custom gem until pull request at https://github.com/marcel/aws-s3/pull/41

2
app/helpers/quizzes_helper.rb
View File

@ -178,7 +178,7 @@ module QuizzesHelper
if answer_list && !answer_list.empty? if answer_list && !answer_list.empty?
index = 0 index = 0
res.gsub %r{<input.*?name=['"](question_.*?)['"].*?/>} do |match| res.gsub %r{<input.*?name=['"](question_.*?)['"].*?/>} do |match|
a = h(answer_list[index]).gsub "'", "&#39;" a = h(answer_list[index])
index += 1 index += 1
# Replace the {{question_BLAH}} template text with the user's answer text. # Replace the {{question_BLAH}} template text with the user's answer text.
match.sub(/\{\{question_.*?\}\}/, a). match.sub(/\{\{question_.*?\}\}/, a).

34
config/initializers/rails_patches.rb
View File

@ -1,6 +1,7 @@
ActionController::Base.param_parsers.delete(Mime::XML) ActionController::Base.param_parsers.delete(Mime::XML)
# CVE-2013-0333 # CVE-2013-0333
# https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion # https://groups.google.com/d/topic/rubyonrails-security/1h2DR63ViGo/discussion
# With Rails 2.3.16 we could remove this line, but we still prefer JSONGem for performance reasons
ActiveSupport::JSON.backend = "JSONGem" ActiveSupport::JSON.backend = "JSONGem"
if Rails::VERSION::MAJOR == 3 && Rails::VERSION::MINOR >= 1 if Rails::VERSION::MAJOR == 3 && Rails::VERSION::MINOR >= 1
@ -41,39 +42,6 @@ else
end end
end end
# https://github.com/rails/rails/commit/0e17cf17ebeb70490d7c7cd25c6bf8f9401e44b3
# https://github.com/rails/rails/commit/63cd9432265a32d222353b535d60333c2a6a5125
# Backport from Rails 3.1
ERB::Util.module_eval do
# Detect whether 1.9 can transcode with XML escaping.
if '"&gt;&lt;&amp;&quot;"' == ('><&"'.encode('utf-8', :xml => :attr) rescue false)
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
end
end
else
def html_escape(s)
s = s.to_s
if s.html_safe?
s
else
s.gsub(/[&"><]/n) { |special| ERB::Util::HTML_ESCAPE[special] }.html_safe
end
end
end
remove_method(:h)
alias h html_escape
module_function :h
module_function :html_escape
end
# Fix for has_many :through where the through and target reflections are the # Fix for has_many :through where the through and target reflections are the
# same table (the through table needs to be aliased) # same table (the through table needs to be aliased)
# https://github.com/rails/rails/issues/669 (fixed in rails 3.1) # https://github.com/rails/rails/issues/669 (fixed in rails 3.1)

2
spec/helpers/quizzes_helper_spec.rb
View File

@ -89,7 +89,7 @@ describe QuizzesHelper do
:answers => [] :answers => []
) )
html.should == %q|<input name="question_1" 'value=&#39;&gt;&lt;script&gt;alert(&#39;ha!&#39;)&lt;/script&gt;&lt;img' readonly="readonly" />| html.should == %q|<input name="question_1" 'value=&#x27;&gt;&lt;script&gt;alert(&#x27;ha!&#x27;)&lt;/script&gt;&lt;img' readonly="readonly" />|
end end
end end
end end

2
spec/lib/content_zipper_spec.rb
View File

@ -35,7 +35,7 @@ describe ContentZipper do
Zip::ZipFile.foreach(attachment.full_filename) do |f| Zip::ZipFile.foreach(attachment.full_filename) do |f|
if f.file? if f.file?
f.name.should =~ /some-999-_-1234-guy/ f.name.should =~ /some-999-_-1234-guy/
f.get_input_stream.read.should match(%r{This submission was a url, we're taking you to the url link now.}) f.get_input_stream.read.should match(%r{This submission was a url, we&#x27;re taking you to the url link now.})
f.get_input_stream.read.should be_include("http://www.instructure.com/") f.get_input_stream.read.should be_include("http://www.instructure.com/")
end end
end end

2
spec/lib/text_helper_spec.rb
View File

@ -272,7 +272,7 @@ describe TextHelper do
context "i18n" do context "i18n" do
it "should automatically escape Strings" do it "should automatically escape Strings" do
th.mt(:foo, "We **don't** trust the following input: %{input}", :input => "`a` **b** _c_ ![d](e)\n# f\n + g\n - h"). th.mt(:foo, "We **don't** trust the following input: %{input}", :input => "`a` **b** _c_ ![d](e)\n# f\n + g\n - h").
should == "We <strong>don't</strong> trust the following input: `a` **b** _c_ ![d](e) # f + g - h" should == "We <strong>don&#x27;t</strong> trust the following input: `a` **b** _c_ ![d](e) # f + g - h"
end end
it "should not escape MarkdownSafeBuffers" do it "should not escape MarkdownSafeBuffers" do