service contact blocks contain new lines - and jinja2 normally ignores
newlines (as in it keeps them as new lines) - but we need to turn them
into `<br>` tags so that we can show the formatting that the user has
added. We were previously just doing `{{ block | nl2br | safe }}`. nl2br
turns the new lines into `<br>` tags, and then `safe` tells jinja that
it doesn't need to escape the html.
this causes issues if the user adds `<script>alert(1)</script>` to their
contact block (or some other evil xss hack), where that will get let
through due to the safe flag
To solve this, use `Markup(html='escape')` to sanitise any html, and
then convert new lines to <br>.
bump utils
another xss
we all run 3.6 locally, we test against 3.6 both locally and on
concourse, and the latest version of openpyxl (required by
pyexcel-xlsx) doesn't support 3.5 anymore
The too many pages error was being returned when the file couldn’t be
read. This commit corrects the error message, and adds a test to make
sure this case is covered.
The API response for jobs includes a field called `job_status`. The API
response for uploads doesn’t.
The `Job` mode handles uploads and jobs, so it needs to account for the
possibility of the field not being there.
app/assets/javascripts/errorTracking.js sent
events to `window.ga`.
This extends the API of `window.GOVUK.Analytics`
to include support for sending events so all
calls to `window.ga` can use it instead of direct
access.
This use of `window.ga` was missed from the
initial work on `window.GOVUK.Anaytics`.
It looks like a link so its semantics should
identify it as one.
This can effect users of speech recognition
software, in scenarios where they instruct it to
click an element which looks like one thing but
the software can only identify as something else.
Visual users get the context from the proximity to
the h2 but we need to provide this for others.
I've tried using `aria-describedby` to link them
to the h2 but this ends up making the h2 text the
button's description in the accessibility tree. In
Voiceover this means you only get that information
as extra context, announced a while after the
label if the VO cursor stays on the button.
We want all the information in the accessible
label so chose this approach instead.
Paired with @aliuk2012 on the implementation and
with a view to making the component generic enough
to be used on digital marketplace apps as well.
These changes came from that session.
They include:
- removal of an unused `data-accept-cookies`
attribute
- removal of `govuk-!-padding-top-4` class and
moving of associated styles into component CSS
- swapping out the `aria-label` on the parent
element for an `aria-describedby` linked to the
h2 to have one thing labelling the banner region
- removal of unused CSS and any already provided
by the govuk-button class
- inclusion of @import's for styles attached to
govuk-body and govuk-button classes
Includes:
- tests for the analytics interface ported from
GOVUK Frontend Toolkit
- tests for the cookie banner that appears on all
pages except the cookies page
- tests for the cookies page JS
- tests for the hasConsentFor function
- adding a deleteCookie helper to remove
cookies during tests
- polyfill for insertAdjacentText
The last one is because JSDOM doesn't support
insertAdjacentText but our target browsers
do. This polyfill also includes one for
insertAdjacentHTML.
Includes:
- new content
- added option to turn analytics on/off
- non-js version for the on/off switch
- a banner to confirm user's choice was saved,
shown when they click the save button
- the cookie banner that appears on all other
pages removed from this page
Removes the following cookies:
- seen_cookie_message (flags if banner was already
shown)
- _gid (Google Analytics cookie)
- _ga (Google Analytics cookie)
These were set by default before so potentially
still around for some users.
The code for this now exists as a static method on
the cookieMessage module and is called when the JS
loads for the first time.
Copies HTML and Sass from GOV.UK Pubishing
components cookie-banner with changes to content
and functionality to better suit Notify.
Changes are:
- adds a 'reject' button which the GOV.UK
code doesn't have
- adds Sass from the GOV.UK Frontend button
component which the GOV.UK version used so
is included here
- removed click tracking from cookie banner
Jobs have a `scheduled_for` field. Single letter uploads don’t.
At the moment we treat both of them as `Job`s. So the `Job` model needs
to account for when the `scheduled_for` field is missing.
The property doesn’t represent the whole client, but just one method on
it. So this commit renames the property to better describe what it is
designed to store.
