fix vulnerability
This commit is contained in:
parent
a801bafd79
commit
ef669084a7
|
|
@ -9,6 +9,8 @@ class AsksController < ActionController::Base
|
||||||
subpart = OrbitHelper.get_current_widget
|
subpart = OrbitHelper.get_current_widget
|
||||||
case subpart.widget_type
|
case subpart.widget_type
|
||||||
when /.*_form/
|
when /.*_form/
|
||||||
|
read_more_page = Page.where(id: subpart.read_more_page_id).first || Page.where(:module => 'ask').first
|
||||||
|
referer_url = read_more_page ? "/#{I18n.locale}#{read_more_page.url}" : "/#{I18n.locale}/asks"
|
||||||
module_app = ModuleApp.where(:key => "ask").first
|
module_app = ModuleApp.where(:key => "ask").first
|
||||||
categories = Array(Category.find(OrbitHelper.widget_categories)) rescue ['all']
|
categories = Array(Category.find(OrbitHelper.widget_categories)) rescue ['all']
|
||||||
categories = module_app.categories if categories.include? 'all'
|
categories = module_app.categories if categories.include? 'all'
|
||||||
|
|
@ -28,7 +30,7 @@ class AsksController < ActionController::Base
|
||||||
request = OrbitHelper.request
|
request = OrbitHelper.request
|
||||||
csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
|
csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
|
||||||
token_tag = hidden_field_tag('authenticity_token',csrf_value)
|
token_tag = hidden_field_tag('authenticity_token',csrf_value)
|
||||||
switch_form = cal_switch_form(ask_settings,categories,token_tag)
|
switch_form = cal_switch_form(ask_settings,categories,token_tag,referer_url)
|
||||||
{
|
{
|
||||||
'fields' => defalt_fields,
|
'fields' => defalt_fields,
|
||||||
'extras'=>{
|
'extras'=>{
|
||||||
|
|
@ -36,7 +38,7 @@ class AsksController < ActionController::Base
|
||||||
'form_url' => "/#{I18n.locale.to_s}/asks",
|
'form_url' => "/#{I18n.locale.to_s}/asks",
|
||||||
'submit_tag' => submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail'),
|
'submit_tag' => submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail'),
|
||||||
'close_tag' => button_tag(t('cancel'), type: 'reset', :class=> 'btn'),
|
'close_tag' => button_tag(t('cancel'), type: 'reset', :class=> 'btn'),
|
||||||
'referer_url' => '',
|
'referer_url' => referer_url,
|
||||||
'switch_form' => switch_form
|
'switch_form' => switch_form
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -99,6 +101,13 @@ class AsksController < ActionController::Base
|
||||||
end
|
end
|
||||||
def index
|
def index
|
||||||
@params = OrbitHelper.params
|
@params = OrbitHelper.params
|
||||||
|
case ((@params['method'] rescue params['method']) rescue nil)
|
||||||
|
when 'thank'
|
||||||
|
render :thank and return {}
|
||||||
|
when 'sorry'
|
||||||
|
render :sorry and return {}
|
||||||
|
end
|
||||||
|
referer_url = OrbitHelper.request.fullpath
|
||||||
if @params['item'].to_s.empty?
|
if @params['item'].to_s.empty?
|
||||||
get_layout_type
|
get_layout_type
|
||||||
else
|
else
|
||||||
|
|
@ -119,7 +128,7 @@ class AsksController < ActionController::Base
|
||||||
end
|
end
|
||||||
csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
|
csrf_value = OrbitHelper.request.session[:_csrf_token] || SecureRandom.base64(32)
|
||||||
token_tag = hidden_field_tag('authenticity_token',csrf_value)
|
token_tag = hidden_field_tag('authenticity_token',csrf_value)
|
||||||
switch_form = cal_switch_form(ask_settings,categories,token_tag)
|
switch_form = cal_switch_form(ask_settings,categories,token_tag,referer_url)
|
||||||
tags = module_app.tags
|
tags = module_app.tags
|
||||||
ask_question = AskQuestion.new
|
ask_question = AskQuestion.new
|
||||||
{
|
{
|
||||||
|
|
@ -179,9 +188,9 @@ class AsksController < ActionController::Base
|
||||||
if flag
|
if flag
|
||||||
@ask_question.update_attributes(temp_params)
|
@ask_question.update_attributes(temp_params)
|
||||||
build_email(@ask_question)
|
build_email(@ask_question)
|
||||||
redirect_to "#{params[:referer_url]}/?method=thank"
|
redirect_to "#{params[:referer_url]}?method=thank"
|
||||||
else
|
else
|
||||||
redirect_to "#{params[:referer_url]}/?method=sorry"
|
redirect_to "#{params[:referer_url]}?method=sorry"
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -282,11 +291,10 @@ class AsksController < ActionController::Base
|
||||||
end
|
end
|
||||||
defalt_fields
|
defalt_fields
|
||||||
end
|
end
|
||||||
def cal_html(fields,token_tag,form_id)
|
def cal_html(fields,token_tag,form_id,referer_url)
|
||||||
form_url = "/#{I18n.locale.to_s}/asks"
|
form_url = "/#{I18n.locale.to_s}/asks"
|
||||||
submit_tag = submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail')
|
submit_tag = submit_tag(t('submit'), :class=> 'btn btn-primary', :id => 'button-mail')
|
||||||
close_tag = button_tag(t('cancel'), type: 'reset', :class=> 'btn')
|
close_tag = button_tag(t('cancel'), type: 'reset', :class=> 'btn')
|
||||||
referer_url = ''
|
|
||||||
tmp = fields.collect do |field|
|
tmp = fields.collect do |field|
|
||||||
style_html = field['style_html']
|
style_html = field['style_html']
|
||||||
label = field['label']
|
label = field['label']
|
||||||
|
|
@ -347,7 +355,7 @@ class AsksController < ActionController::Base
|
||||||
})
|
})
|
||||||
</script>"
|
</script>"
|
||||||
end
|
end
|
||||||
def cal_switch_form(ask_settings,categories,token_tag)
|
def cal_switch_form(ask_settings,categories,token_tag,referer_url)
|
||||||
switch_form = ''
|
switch_form = ''
|
||||||
if ask_settings.count > 1
|
if ask_settings.count > 1
|
||||||
switch_form = script_text + ask_settings.collect do |ask_setting|
|
switch_form = script_text + ask_settings.collect do |ask_setting|
|
||||||
|
|
@ -357,7 +365,7 @@ class AsksController < ActionController::Base
|
||||||
else
|
else
|
||||||
form_id = ask_setting.category_id
|
form_id = ask_setting.category_id
|
||||||
end
|
end
|
||||||
cal_html(fields,token_tag,form_id)
|
cal_html(fields,token_tag,form_id,referer_url)
|
||||||
end.join
|
end.join
|
||||||
end
|
end
|
||||||
switch_form
|
switch_form
|
||||||
|
|
|
||||||
|
|
@ -243,7 +243,7 @@
|
||||||
</div>
|
</div>
|
||||||
<% end %>
|
<% end %>
|
||||||
<div class="form-actions">
|
<div class="form-actions">
|
||||||
<input type="hidden" name="referer_url" value="<%= request.original_url.split(request.env["HTTP_HOST"]).last %>">
|
<input type="hidden" name="referer_url" value="<%= request.fullpath %>">
|
||||||
<%= f.submit t('submit'), class: 'btn btn-primary', :id => 'button-mail' %>
|
<%= f.submit t('submit'), class: 'btn btn-primary', :id => 'button-mail' %>
|
||||||
<%= f.button t('cancel'), type: 'reset', class: 'btn' %>
|
<%= f.button t('cancel'), type: 'reset', class: 'btn' %>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,7 @@ module Ask
|
||||||
OrbitApp.registration "Ask", :type => "ModuleApp" do
|
OrbitApp.registration "Ask", :type => "ModuleApp" do
|
||||||
module_label "ask.ask"
|
module_label "ask.ask"
|
||||||
base_url File.expand_path File.dirname(__FILE__)
|
base_url File.expand_path File.dirname(__FILE__)
|
||||||
|
set_keyword_contstraints ['/asks']
|
||||||
widget_methods ["widget"]
|
widget_methods ["widget"]
|
||||||
widget_settings [{"data_count"=>10}]
|
widget_settings [{"data_count"=>10}]
|
||||||
taggable "AskQuestion"
|
taggable "AskQuestion"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue