Fix joins not to make strings unsafe (#704)

* Fix joins not to make strings unsafe * Fix RuboCop offenses
bootstrap-ruby · Sep 26, 2023 · 95596b0 · 95596b0
1 parent 656e83a
commit 95596b0
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 13 deletions.
diff --git a/lib/bootstrap_form/components/labels.rb b/lib/bootstrap_form/components/labels.rb
@@ -43,10 +43,11 @@ def label_layout_classes(custom_label_col, group_layout)
       end
 
       def label_text(name, options)
+        label = options[:text] || object&.class&.try(:human_attribute_name, name)&.html_safe # rubocop:disable Rails/OutputSafety
         if label_errors && error?(name)
-          (options[:text] || object.class.human_attribute_name(name)).to_s + " #{get_error_messages(name)}"
+          (" ".html_safe + get_error_messages(name)).prepend(label)
         else
-          options[:text] || object&.class.try(:human_attribute_name, name)
+          label
         end
       end
     end

diff --git a/lib/bootstrap_form/components/validation.rb b/lib/bootstrap_form/components/validation.rb
@@ -82,7 +82,8 @@ def get_error_messages(name)
           end
         end
 
-        object.errors[name].join(", ")
+        safe_join(object.errors[name], ", ")
+        # object.errors[name].join(", ")
       end
       # rubocop:enable Metrics/AbcSize
     end

diff --git a/lib/bootstrap_form/form_builder.rb b/lib/bootstrap_form/form_builder.rb
@@ -45,6 +45,8 @@ class FormBuilder < ActionView::Helpers::FormBuilder
     include BootstrapForm::Inputs::UrlField
     include BootstrapForm::Inputs::WeekField
 
+    include ActionView::Helpers::OutputSafetyHelper
+
     delegate :content_tag, :capture, :concat, :tag, to: :@template
 
     def initialize(object_name, object, template, options)
@@ -66,8 +68,8 @@ def add_default_form_attributes_and_form_inline(options)
       return unless options[:layout] == :inline
 
       options[:html][:class] =
-        ([*options[:html][:class]&.split(/\s+/)] + %w[row row-cols-auto g-3 align-items-center])
-        .compact.uniq.join(" ")
+        safe_join(([*options[:html][:class]&.split(/\s+/)] + %w[row row-cols-auto g-3 align-items-center])
+        .compact.uniq, " ")
     end
 
     def fields_for_with_bootstrap(record_name, record_object=nil, fields_options={}, &block)

diff --git a/lib/bootstrap_form/form_group_builder.rb b/lib/bootstrap_form/form_group_builder.rb
@@ -91,7 +91,7 @@ def form_group_css_options(method, html_options, options)
       css_options = html_options || options
       # Add control_class; allow it to be overridden by :control_class option
       control_classes = css_options.delete(:control_class) { control_class }
-      css_options[:class] = [control_classes, css_options[:class]].compact.join(" ")
+      css_options[:class] = safe_join([control_classes, css_options[:class]].compact, " ")
       css_options[:class] << " is-invalid" if error?(method)
       css_options[:placeholder] = form_group_placeholder(options, method) if options[:label_as_placeholder]
       css_options

diff --git a/lib/bootstrap_form/helpers/bootstrap.rb b/lib/bootstrap_form/helpers/bootstrap.rb
@@ -1,6 +1,8 @@
 module BootstrapForm
   module Helpers
     module Bootstrap
+      include ActionView::Helpers::OutputSafetyHelper
+
       def alert_message(title, options={})
         css = options[:class] || "alert alert-danger"
         return unless object.respond_to?(:errors) && object.errors.full_messages.any?
@@ -31,11 +33,12 @@ def errors_on(name, options={})
         custom_class = options[:custom_class] || false
 
         tag.div class: custom_class || "invalid-feedback" do
-          if hide_attribute_name
-            object.errors[name].join(", ")
-          else
-            object.errors.full_messages_for(name).join(", ")
-          end
+          errors = if hide_attribute_name
+                     object.errors[name]
+                   else
+                     object.errors.full_messages_for(name)
+                   end
+          safe_join(errors, ", ")
         end
       end
 
@@ -93,7 +96,7 @@ def attach_input(options, key)
         tags = [*options[key]].map do |item|
           input_group_content(item)
         end
-        ActiveSupport::SafeBuffer.new(tags.join)
+        safe_join(tags)
       end
     end
   end

diff --git a/lib/bootstrap_form/inputs/rich_text_area.rb b/lib/bootstrap_form/inputs/rich_text_area.rb
@@ -10,7 +10,7 @@ module RichTextArea
         def rich_text_area_with_bootstrap(name, options={})
           form_group_builder(name, options) do
             prepend_and_append_input(name, options) do
-              options[:class] = ["trix-content", options[:class]].compact.join(" ")
+              options[:class] = safe_join(["trix-content", options[:class]].compact, " ")
               rich_text_area_without_bootstrap(name, options)
             end
           end