From bba32a3e6146f72ae69d04133135fa1d624b57a7 Mon Sep 17 00:00:00 2001 From: bugbug11111 Date: Tue, 5 May 2026 08:08:48 +0200 Subject: [PATCH 1/3] feat(accounts): add activity entry highlighting in summary cards * Introduced a new helper method `highlight_activity_entry_name` to highlight search terms in activity entry names. * Updated various views to utilize the new highlighting method for improved user experience in displaying relevant entries. --- app/helpers/accounts_helper.rb | 9 +++++++++ app/views/trades/_trade.html.erb | 4 ++-- app/views/transactions/_split_parent_row.html.erb | 6 +++--- app/views/transactions/_transaction.html.erb | 4 ++-- app/views/valuations/_valuation.html.erb | 4 ++-- 5 files changed, 18 insertions(+), 9 deletions(-) diff --git a/app/helpers/accounts_helper.rb b/app/helpers/accounts_helper.rb index 99ef891ce..90966cec9 100644 --- a/app/helpers/accounts_helper.rb +++ b/app/helpers/accounts_helper.rb @@ -1,4 +1,6 @@ module AccountsHelper + ACTIVITY_HIGHLIGHT_MARKUP = '\1'.freeze + def summary_card(title:, &block) content = capture(&block) render "accounts/summary_card", title: title, content: content @@ -8,4 +10,11 @@ module AccountsHelper # Always use the account sync path, which handles syncing all providers sync_account_path(account) end + + def highlight_activity_entry_name(name, query = params.dig(:q, :search)) + search = query.to_s.strip + return name if search.blank? + + highlight(name, search, highlighter: ACTIVITY_HIGHLIGHT_MARKUP) + end end diff --git a/app/views/trades/_trade.html.erb b/app/views/trades/_trade.html.erb index 04b67e645..a614b0251 100644 --- a/app/views/trades/_trade.html.erb +++ b/app/views/trades/_trade.html.erb @@ -32,10 +32,10 @@
- <%= link_to entry.name, + <%= link_to(highlight_activity_entry_name(entry.name), entry_path(entry), data: { turbo_frame: "drawer", turbo_prefetch: false }, - class: "hover:underline" %> + class: "hover:underline") %>
<% end %> diff --git a/app/views/transactions/_split_parent_row.html.erb b/app/views/transactions/_split_parent_row.html.erb index 6813609c3..c54bdfe35 100644 --- a/app/views/transactions/_split_parent_row.html.erb +++ b/app/views/transactions/_split_parent_row.html.erb @@ -29,10 +29,10 @@
- <%= link_to entry.name, + <%= link_to(highlight_activity_entry_name(entry.name), entry_path(entry), data: { turbo_frame: "drawer", turbo_prefetch: false }, - class: "hover:underline" %> + class: "hover:underline") %>
@@ -51,7 +51,7 @@ <%= link_to entry.account.name, account_path(entry.account, tab: "transactions"), data: { turbo_frame: "_top" }, - class: "hover:underline" %> + class: "hover:underline") %>
diff --git a/app/views/transactions/_transaction.html.erb b/app/views/transactions/_transaction.html.erb index b0ee1ae0a..1c19f8f32 100644 --- a/app/views/transactions/_transaction.html.erb +++ b/app/views/transactions/_transaction.html.erb @@ -59,7 +59,7 @@
<% if transaction.transfer? %> <%= link_to( - entry.name, + highlight_activity_entry_name(entry.name), transaction.transfer.present? ? transfer_path(transaction.transfer) : entry_path(entry), data: { turbo_frame: "drawer", @@ -69,7 +69,7 @@ ) %> <% else %> <%= link_to( - entry.name, + highlight_activity_entry_name(entry.name), entry_path(entry), data: { turbo_frame: "drawer", diff --git a/app/views/valuations/_valuation.html.erb b/app/views/valuations/_valuation.html.erb index e377eda0f..d19a78f5d 100644 --- a/app/views/valuations/_valuation.html.erb +++ b/app/views/valuations/_valuation.html.erb @@ -17,10 +17,10 @@ <%= render DS::FilledIcon.new(icon: icon, size: "md", hex_color: color, rounded: true) %>
- <%= link_to entry.name, + <%= link_to(highlight_activity_entry_name(entry.name), entry_path(entry), data: { turbo_frame: "drawer", turbo_prefetch: false }, - class: "hover:underline" %> + class: "hover:underline") %>
From 5519716274a44ec164ae42cdb623cf10bad7a311 Mon Sep 17 00:00:00 2001 From: bugbug11111 Date: Tue, 5 May 2026 11:59:53 +0200 Subject: [PATCH 2/3] fix(transactions): correct HTML syntax in split parent row view * Fixed a minor syntax issue in the _split_parent_row.html.erb file by ensuring the closing tag for the link_to helper is properly formatted. This change enhances code readability and maintains consistency in the view structure. --- app/views/transactions/_split_parent_row.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/transactions/_split_parent_row.html.erb b/app/views/transactions/_split_parent_row.html.erb index c54bdfe35..74e518123 100644 --- a/app/views/transactions/_split_parent_row.html.erb +++ b/app/views/transactions/_split_parent_row.html.erb @@ -51,7 +51,7 @@ <%= link_to entry.account.name, account_path(entry.account, tab: "transactions"), data: { turbo_frame: "_top" }, - class: "hover:underline") %> + class: "hover:underline" %> From 86d92508cb3eeb65a3b97548d2fd4e1ea5960666 Mon Sep 17 00:00:00 2001 From: bugbug11111 Date: Tue, 5 May 2026 12:07:04 +0200 Subject: [PATCH 3/3] fix(accounts): sanitize activity entry names for highlighting * Updated the `highlight_activity_entry_name` method to escape HTML in activity entry names before highlighting. This change prevents potential XSS vulnerabilities and ensures safe rendering of user-generated content. --- app/helpers/accounts_helper.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/helpers/accounts_helper.rb b/app/helpers/accounts_helper.rb index 90966cec9..302902f39 100644 --- a/app/helpers/accounts_helper.rb +++ b/app/helpers/accounts_helper.rb @@ -15,6 +15,7 @@ module AccountsHelper search = query.to_s.strip return name if search.blank? - highlight(name, search, highlighter: ACTIVITY_HIGHLIGHT_MARKUP) + escaped_name = ERB::Util.html_escape(name.to_s) + highlight(escaped_name, search, highlighter: ACTIVITY_HIGHLIGHT_MARKUP, sanitize: false) end end