Commit 1821a739dbe153faf74cc802ba17b8f8f067cd5c
1 parent
ac95e9a2
Exists in
master
and in
22 other branches
ActionItem192: filtering html from enterprise registration fields and add assert…
…_sanitized to test_helper git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1695 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
9 changed files
with
97 additions
and
13 deletions
Show diff stats
app/controllers/my_profile/memberships_controller.rb
| ... | ... | @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController |
| 24 | 24 | end |
| 25 | 25 | end |
| 26 | 26 | |
| 27 | + private | |
| 28 | + | |
| 29 | + require 'erb' | |
| 30 | + include ERB::Util | |
| 31 | + def sanitize | |
| 32 | + if params[:community] | |
| 33 | + params[:community][:name] = html_escape(params[:community][:name]) if params[:community][:name] | |
| 34 | + params[:community][:description] = html_escape(params[:community][:description]) if params[:community][:description] | |
| 35 | + end | |
| 36 | + end | |
| 37 | + | |
| 27 | 38 | end | ... | ... |
app/controllers/public/enterprise_registration_controller.rb
| ... | ... | @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController |
| 51 | 51 | @create_enterprise.save! |
| 52 | 52 | end |
| 53 | 53 | |
| 54 | + private | |
| 55 | + | |
| 56 | + require 'erb' | |
| 57 | + include ERB::Util | |
| 58 | + def sanitize | |
| 59 | + if params[:create_enterprise] | |
| 60 | + %w[name address contact_phone contact_person acronym foundation_year legal_form economic_activity management_information].each{ |i| | |
| 61 | + params[:create_enterprise][i] = html_escape(params[:create_enterprise][i]) if params[:create_enterprise][i] | |
| 62 | + } | |
| 63 | + end | |
| 64 | + end | |
| 65 | + | |
| 54 | 66 | end | ... | ... |
test/functional/consumed_products_controller_test.rb
| ... | ... | @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase |
| 44 | 44 | product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) |
| 45 | 45 | post :new, :profile => profile.identifier, |
| 46 | 46 | :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } |
| 47 | - assert_not_equal assigns(:consumption).aditional_specifications, 'extra <b>info</b>' | |
| 47 | + assert_sanitized assigns(:consumption).aditional_specifications | |
| 48 | 48 | end |
| 49 | 49 | |
| 50 | 50 | should 'destroy product' do | ... | ... |
test/functional/enterprise_registration_controller_test.rb
| ... | ... | @@ -86,4 +86,49 @@ all_fixtures |
| 86 | 86 | assert_template 'confirmation' |
| 87 | 87 | end |
| 88 | 88 | |
| 89 | + should 'filter html from name' do | |
| 90 | + post :index, :create_enterprise => { 'name' => '<b>name</b>', 'identifier' => 'mynew' } | |
| 91 | + assert_sanitized assigns(:create_enterprise).name | |
| 92 | + end | |
| 93 | + | |
| 94 | + should 'filter html from address' do | |
| 95 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :address => '<b>address</b>' } | |
| 96 | + assert_sanitized assigns(:create_enterprise).address | |
| 97 | + end | |
| 98 | + | |
| 99 | + should 'filter html from contact_phone' do | |
| 100 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_phone => '<b>contact_phone</b>' } | |
| 101 | + assert_sanitized assigns(:create_enterprise).contact_phone | |
| 102 | + end | |
| 103 | + | |
| 104 | + should 'filter html from contact_person' do | |
| 105 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_person => '<b>contact_person</b>' } | |
| 106 | + assert_sanitized assigns(:create_enterprise).contact_person | |
| 107 | + end | |
| 108 | + | |
| 109 | + should 'filter html from acronym' do | |
| 110 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :acronym => '<b>acronym</b>' } | |
| 111 | + assert_sanitized assigns(:create_enterprise).acronym | |
| 112 | + end | |
| 113 | + | |
| 114 | + should 'filter html from foundation_year' do | |
| 115 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => '<b>foundation_year</b>' } | |
| 116 | + assert_sanitized assigns(:create_enterprise).foundation_year | |
| 117 | + end | |
| 118 | + | |
| 119 | + should 'filter html from legal_form' do | |
| 120 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => '<b>legal_form</b>' } | |
| 121 | + assert_sanitized assigns(:create_enterprise).legal_form | |
| 122 | + end | |
| 123 | + | |
| 124 | + should 'filter html from economic_activity' do | |
| 125 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :economic_activity => '<b>economic_activity</b>' } | |
| 126 | + assert_sanitized assigns(:create_enterprise).economic_activity | |
| 127 | + end | |
| 128 | + | |
| 129 | + should 'filter html from management_information' do | |
| 130 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :management_information => '<b>management_information</b>' } | |
| 131 | + assert_sanitized assigns(:create_enterprise).management_information | |
| 132 | + end | |
| 133 | + | |
| 89 | 134 | end | ... | ... |
test/functional/enterprise_validation_test.rb
| ... | ... | @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase |
| 124 | 124 | info = ValidationInfo.new(:validation_methodology => 'none') |
| 125 | 125 | @org.expects(:validation_info).returns(info) |
| 126 | 126 | post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} |
| 127 | - | |
| 128 | - assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>' | |
| 127 | + assert_sanitized assigns(:info).validation_methodology | |
| 129 | 128 | end |
| 130 | 129 | |
| 131 | 130 | should 'filter html from restriction of the validation info' do |
| 132 | 131 | info = ValidationInfo.new(:validation_methodology => 'none') |
| 133 | 132 | @org.expects(:validation_info).returns(info) |
| 134 | 133 | post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} |
| 135 | - | |
| 136 | - assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>' | |
| 134 | + assert_sanitized assigns(:info).restrictions | |
| 137 | 135 | end |
| 138 | 136 | |
| 139 | 137 | end | ... | ... |
test/functional/manage_products_controller_test.rb
| ... | ... | @@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase |
| 172 | 172 | should 'filter html from name of product' do |
| 173 | 173 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
| 174 | 174 | post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } |
| 175 | - assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>" | |
| 175 | + assert_sanitized assigns(:product).name | |
| 176 | 176 | end |
| 177 | 177 | |
| 178 | 178 | should 'filter html from description of product' do |
| 179 | 179 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
| 180 | 180 | post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } |
| 181 | - assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>" | |
| 181 | + assert_sanitized assigns(:product).description | |
| 182 | 182 | end |
| 183 | 183 | |
| 184 | 184 | end | ... | ... |
test/functional/memberships_controller_test.rb
| ... | ... | @@ -5,6 +5,7 @@ require 'memberships_controller' |
| 5 | 5 | class MembershipsController; def rescue_action(e) raise e end; end |
| 6 | 6 | |
| 7 | 7 | class MembershipsControllerTest < Test::Unit::TestCase |
| 8 | + | |
| 8 | 9 | def setup |
| 9 | 10 | @controller = MembershipsController.new |
| 10 | 11 | @request = ActionController::TestRequest.new |
| ... | ... | @@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase |
| 61 | 62 | assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } |
| 62 | 63 | end |
| 63 | 64 | |
| 65 | + should 'filter html from name' do | |
| 66 | + login_as(profile.identifier) | |
| 67 | + post :new_community, :profile => profile.identifier, :community => { :name => '<b>new</b> community' } | |
| 68 | + assert_sanitized assigns(:community).name | |
| 69 | + end | |
| 70 | + | |
| 71 | + should 'filter html from description' do | |
| 72 | + login_as(profile.identifier) | |
| 73 | + post :new_community, :profile => profile.identifier, :community => { :name => 'new community', :description => '<b>new</b> community' } | |
| 74 | + assert_sanitized assigns(:community).description | |
| 75 | + end | |
| 76 | + | |
| 64 | 77 | end | ... | ... |
test/functional/profile_editor_controller_test.rb
| ... | ... | @@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase |
| 96 | 96 | person = create_user('test_profile').person |
| 97 | 97 | name = "name <strong id='name_html_test'>with</strong> html" |
| 98 | 98 | post :edit, :profile => person.identifier, :info => { :name => name } |
| 99 | - assert_not_equal name, assigns(:profile).info.name | |
| 99 | + assert_sanitized assigns(:profile).info.name | |
| 100 | 100 | end |
| 101 | 101 | |
| 102 | 102 | should 'filter html from contact_person to organization' do |
| 103 | 103 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 104 | 104 | contact = "name <strong id='name_html_test'>with</strong> html" |
| 105 | 105 | post :edit, :profile => org.identifier, :info => { :contact_person => contact } |
| 106 | - assert_not_equal contact, assigns(:profile).info.contact_person | |
| 106 | + assert_sanitized assigns(:profile).info.contact_person | |
| 107 | 107 | end |
| 108 | 108 | |
| 109 | 109 | should 'filter html from acronym organization' do |
| 110 | 110 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 111 | 111 | value = "name <strong id='name_html_test'>with</strong> html" |
| 112 | 112 | post :edit, :profile => org.identifier, :info => { :acronym => value } |
| 113 | - assert_not_equal value, assigns(:profile).info.acronym | |
| 113 | + assert_sanitized assigns(:profile).info.acronym | |
| 114 | 114 | end |
| 115 | 115 | |
| 116 | 116 | should 'filter html from legal_form organization' do |
| 117 | 117 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 118 | 118 | value = "name <strong id='name_html_test'>with</strong> html" |
| 119 | 119 | post :edit, :profile => org.identifier, :info => { :legal_form => value } |
| 120 | - assert_not_equal value, assigns(:profile).info.legal_form | |
| 120 | + assert_sanitized assigns(:profile).info.legal_form | |
| 121 | 121 | end |
| 122 | 122 | |
| 123 | 123 | should 'filter html from economic_activity organization' do |
| 124 | 124 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 125 | 125 | value = "name <strong id='name_html_test'>with</strong> html" |
| 126 | 126 | post :edit, :profile => org.identifier, :info => { :economic_activity => value } |
| 127 | - assert_not_equal value, assigns(:profile).info.economic_activity | |
| 127 | + assert_sanitized assigns(:profile).info.economic_activity | |
| 128 | 128 | end |
| 129 | 129 | |
| 130 | 130 | should 'filter html from management_information organization' do |
| 131 | 131 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 132 | 132 | value = "name <strong id='name_html_test'>with</strong> html" |
| 133 | 133 | post :edit, :profile => org.identifier, :info => { :management_information => value } |
| 134 | - assert_not_equal value, assigns(:profile).info.management_information | |
| 134 | + assert_sanitized assigns(:profile).info.management_information | |
| 135 | 135 | end |
| 136 | 136 | |
| 137 | 137 | end | ... | ... |
test/test_helper.rb
| ... | ... | @@ -135,6 +135,11 @@ class Test::Unit::TestCase |
| 135 | 135 | assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" |
| 136 | 136 | end |
| 137 | 137 | |
| 138 | + # this check only if string has html tag | |
| 139 | + def assert_sanitized(string) | |
| 140 | + assert_no_match /<[^>]+\/?>/, string, "String #{string} expected to be sanitized" | |
| 141 | + end | |
| 142 | + | |
| 138 | 143 | private |
| 139 | 144 | |
| 140 | 145 | def uses_host(name) | ... | ... |