diff --git a/app/models/status_message.rb b/app/models/status_message.rb
index d229602a4..d6d71ce04 100644
--- a/app/models/status_message.rb
+++ b/app/models/status_message.rb
@@ -10,7 +10,7 @@ class StatusMessage < Post
validates_length_of :message, :maximum => 1000, :message => "please make your status messages less than 1000 characters"
xml_name :status_message
- xml_attr :message
+ xml_attr :raw_message
has_many :photos, :dependent => :destroy
validate :message_or_photos_present?
@@ -22,19 +22,34 @@ class StatusMessage < Post
get_youtube_title message
end
+ def message
+ self.formatted_message
+ end
+
+ def raw_message
+ read_attribute(:message)
+ end
+ def raw_message=(text)
+ write_attribute(:message, text)
+ end
+
def formatted_message
+ return self.raw_message unless self.raw_message
people = self.mentioned_people
regex = /@\{([^;]+); ([^\}]+)\}/
- message.gsub(regex) do |matched_string|
- people.detect{ |p|
+ escaped_message = ERB::Util.h(raw_message)
+ form_message = escaped_message.gsub(regex) do |matched_string|
+ person = people.detect{ |p|
p.diaspora_handle == matched_string.match(regex).captures.last
- }.name
+ }
+ "#{ERB::Util.h(person.name)}"
end
+ form_message
end
def mentioned_people
regex = /@\{([^;]+); ([^\}]+)\}/
- identifiers = self.message.scan(regex).map do |match|
+ identifiers = self.raw_message.scan(regex).map do |match|
match.last
end
self.person.owner.contact_people.where(:diaspora_handle => identifiers)
diff --git a/spec/models/status_message_spec.rb b/spec/models/status_message_spec.rb
index 3e49000e5..fdd701160 100644
--- a/spec/models/status_message_spec.rb
+++ b/spec/models/status_message_spec.rb
@@ -4,6 +4,7 @@
require 'spec_helper'
+
describe StatusMessage do
before do
@@ -54,6 +55,12 @@ describe StatusMessage do
end
describe 'mentions' do
+ def controller
+ mock()
+ end
+
+ include ActionView::Helpers::UrlHelper
+ include Rails.application.routes.url_helpers
before do
@people = [alice, bob, eve].map{|u| u.person}
@test_string = <<-STR
@@ -63,12 +70,29 @@ STR
@sm = Factory.create(:status_message, :message => @test_string )
end
- it 'adds the links in the formated message text' do
- @sm.formatted_message.should == <<-STR
-#{@people[0].name} can mention people like Raphael #{@people[1].name}
-can mention people like Raphaellike Raphael #{@people[2].name} can mention people like Raph
+ describe '#formatted_message' do
+ it 'adds the links in the formated message text' do
+ @sm.formatted_message.should == <<-STR
+#{link_to(@people[0].name, person_path(@people[0]))} can mention people like Raphael #{link_to(@people[1].name, person_path(@people[1]))}
+can mention people like Raphaellike Raphael #{link_to(@people[2].name, person_path(@people[2]))} can mention people like Raph
STR
+ end
+ it 'escapes the link title' do
+ p = @people[0].profile
+ p.first_name=""
+ p.save!
+ @sm.formatted_message.should_not include(@people[0].profile.first_name)
+ end
+ it 'escapes the message' do
+ xss = " "
+ @sm.message << xss
+
+ @sm.formatted_message.should_not include xss
+ end
+ it 'is html_safe' do
+ @sm.formatted_message.html_safe?.should be_true
+ end
end
it 'extracts the mentioned people from the message' do
@@ -80,8 +104,12 @@ STR
@message = Factory.create(:status_message, :message => "I hate WALRUSES!", :person => @user.person)
@xml = @message.to_xml.to_s
end
+ it 'serializes the unescaped, unprocessed message' do
+ @message.message = ""
+ @message.to_xml.to_s.should include @message.message
+ end
it 'serializes the message' do
- @xml.should include "I hate WALRUSES!"
+ @xml.should include "I hate WALRUSES!"
end
it 'serializes the author address' do