wtf is xss? - also overridable size def for mselects

master
Josha von Gizycki 6 years ago
parent b603f42073
commit 02504897d2

@ -1,4 +1,4 @@
(defproject joshavg/formulare "0.3.3-SNAPSHOT" (defproject joshavg/formulare "0.4.0-SNAPSHOT"
:description "Forms hiccup style" :description "Forms hiccup style"
:url "https://gitea.heevyis.ninja/josha/formulare.git" :url "https://gitea.heevyis.ninja/josha/formulare.git"
:scm {:name "git" :url "https://gitea.heevyis.ninja/josha/formulare.git"} :scm {:name "git" :url "https://gitea.heevyis.ninja/josha/formulare.git"}

@ -2,8 +2,9 @@
(:require [formulare.theme :as theme] (:require [formulare.theme :as theme]
[clojure.spec.alpha :as spec] [clojure.spec.alpha :as spec]
[clojure.spec.test.alpha :as spectest] [clojure.spec.test.alpha :as spectest]
[hiccup.form :as hform] [hiccup
[hiccup.core :as hcore] [form :as hform]
[core :as hcore]]
[ring.util.anti-forgery :refer [anti-forgery-field]])) [ring.util.anti-forgery :refer [anti-forgery-field]]))
(spec/def ::label string?) (spec/def ::label string?)

@ -1,6 +1,8 @@
(ns formulare.theme (ns formulare.theme
(:require [clojure.spec.alpha :as spec] (:require [clojure.spec.alpha :as spec]
[hiccup.form :as hform])) [hiccup
[form :as hform]
[core :as hcore]]))
(defn row [& content] content) (defn row [& content] content)
@ -15,9 +17,11 @@
(fn [prob] (fn [prob]
[:p [:p
"Field " "Field "
[:span.flash__field (:label field-def)] [:span.flash__field
(hcore/h (:label field-def))]
" must comply to " " must comply to "
[:span.flash__pred (:pred prob)]]) [:span.flash__pred
(hcore/h (:pred prob))]])
(:clojure.spec.alpha/problems (:clojure.spec.alpha/problems
(spec/explain-data (:spec field-def) (spec/explain-data (:spec field-def)
field-value))))) field-value)))))
@ -27,7 +31,7 @@
(spec/explain-data % req)) (spec/explain-data % req))
(:form-specs form-def))] (:form-specs form-def))]
(err-msg [:p "The form must comply to " (err-msg [:p "The form must comply to "
(:pred prob)]))) (hcore/h (:pred prob))])))
(defn label [field-id field-def] (defn label [field-id field-def]
(when-not (= :hidden (:widget field-def)) (when-not (= :hidden (:widget field-def))
@ -57,14 +61,17 @@
(defn multiselect-widget [id def value] (defn multiselect-widget [id def value]
(let [options (:options def)] (let [options (:options def)]
[:select {:multiple "multiple" [:select {:multiple "multiple"
:size 5 :size (:size def 5)
:name (name id) :name (name id)
:id (name id)} :id (name id)}
(for [option options] (for [option options]
[:option {:value (second option) [:option {:value (second option)
:selected (some? (some (partial = (second option)) :selected (some? (some (partial = (second option))
value))} value))}
(first option)])])) (hcore/h (first option))])]))
(comment
(multiselect-widget :id {:options [["<>" "key"]]} {}))
(defn hidden-widget [id def value] (defn hidden-widget [id def value]
(hform/hidden-field id value)) (hform/hidden-field id value))

@ -277,10 +277,21 @@
:form-specs [(fn [req] false)]}] :form-specs [(fn [req] false)]}]
(is (= [:section.flash--error (is (= [:section.flash--error
[:h2.flash__heading--error "Warning"] [:h2.flash__heading--error "Warning"]
[:p "The form must comply to " [:p "The form must comply to " (name :clojure.spec.alpha/unknown)]]
:clojure.spec.alpha/unknown]]
(first (first
(render-widgets (render-widgets
def def
{} {}
{:params {:__form-hash (form-hash def {})}}))))))) {:params {:__form-hash (form-hash def {})}})))))))
(deftest html-contents-are-escaped
(testing "mselect"
(let [def {:fields {:foo {:widget :mselect
:options [["<>" "key1"]]}}}]
(is (= [:option {:value "key1" :selected false} "&lt;&gt;"]
(-> (render-widgets def {} {})
(nthrest 2)
first
(nth 2)
(nth 2)
first))))))

Loading…
Cancel
Save