Commit 1821a739dbe153faf74cc802ba17b8f8f067cd5c
1 parent
ac95e9a2
Exists in
master
and in
22 other branches
ActionItem192: filtering html from enterprise registration fields and add assert…
…_sanitized to test_helper git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1695 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
9 changed files
with
97 additions
and
13 deletions
Show diff stats
app/controllers/my_profile/memberships_controller.rb
| @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController | @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController | ||
| 24 | end | 24 | end |
| 25 | end | 25 | end |
| 26 | 26 | ||
| 27 | + private | ||
| 28 | + | ||
| 29 | + require 'erb' | ||
| 30 | + include ERB::Util | ||
| 31 | + def sanitize | ||
| 32 | + if params[:community] | ||
| 33 | + params[:community][:name] = html_escape(params[:community][:name]) if params[:community][:name] | ||
| 34 | + params[:community][:description] = html_escape(params[:community][:description]) if params[:community][:description] | ||
| 35 | + end | ||
| 36 | + end | ||
| 37 | + | ||
| 27 | end | 38 | end |
app/controllers/public/enterprise_registration_controller.rb
| @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController | @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController | ||
| 51 | @create_enterprise.save! | 51 | @create_enterprise.save! |
| 52 | end | 52 | end |
| 53 | 53 | ||
| 54 | + private | ||
| 55 | + | ||
| 56 | + require 'erb' | ||
| 57 | + include ERB::Util | ||
| 58 | + def sanitize | ||
| 59 | + if params[:create_enterprise] | ||
| 60 | + %w[name address contact_phone contact_person acronym foundation_year legal_form economic_activity management_information].each{ |i| | ||
| 61 | + params[:create_enterprise][i] = html_escape(params[:create_enterprise][i]) if params[:create_enterprise][i] | ||
| 62 | + } | ||
| 63 | + end | ||
| 64 | + end | ||
| 65 | + | ||
| 54 | end | 66 | end |
test/functional/consumed_products_controller_test.rb
| @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase | @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase | ||
| 44 | product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) | 44 | product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) |
| 45 | post :new, :profile => profile.identifier, | 45 | post :new, :profile => profile.identifier, |
| 46 | :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } | 46 | :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } |
| 47 | - assert_not_equal assigns(:consumption).aditional_specifications, 'extra <b>info</b>' | 47 | + assert_sanitized assigns(:consumption).aditional_specifications |
| 48 | end | 48 | end |
| 49 | 49 | ||
| 50 | should 'destroy product' do | 50 | should 'destroy product' do |
test/functional/enterprise_registration_controller_test.rb
| @@ -86,4 +86,49 @@ all_fixtures | @@ -86,4 +86,49 @@ all_fixtures | ||
| 86 | assert_template 'confirmation' | 86 | assert_template 'confirmation' |
| 87 | end | 87 | end |
| 88 | 88 | ||
| 89 | + should 'filter html from name' do | ||
| 90 | + post :index, :create_enterprise => { 'name' => '<b>name</b>', 'identifier' => 'mynew' } | ||
| 91 | + assert_sanitized assigns(:create_enterprise).name | ||
| 92 | + end | ||
| 93 | + | ||
| 94 | + should 'filter html from address' do | ||
| 95 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :address => '<b>address</b>' } | ||
| 96 | + assert_sanitized assigns(:create_enterprise).address | ||
| 97 | + end | ||
| 98 | + | ||
| 99 | + should 'filter html from contact_phone' do | ||
| 100 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_phone => '<b>contact_phone</b>' } | ||
| 101 | + assert_sanitized assigns(:create_enterprise).contact_phone | ||
| 102 | + end | ||
| 103 | + | ||
| 104 | + should 'filter html from contact_person' do | ||
| 105 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_person => '<b>contact_person</b>' } | ||
| 106 | + assert_sanitized assigns(:create_enterprise).contact_person | ||
| 107 | + end | ||
| 108 | + | ||
| 109 | + should 'filter html from acronym' do | ||
| 110 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :acronym => '<b>acronym</b>' } | ||
| 111 | + assert_sanitized assigns(:create_enterprise).acronym | ||
| 112 | + end | ||
| 113 | + | ||
| 114 | + should 'filter html from foundation_year' do | ||
| 115 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => '<b>foundation_year</b>' } | ||
| 116 | + assert_sanitized assigns(:create_enterprise).foundation_year | ||
| 117 | + end | ||
| 118 | + | ||
| 119 | + should 'filter html from legal_form' do | ||
| 120 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => '<b>legal_form</b>' } | ||
| 121 | + assert_sanitized assigns(:create_enterprise).legal_form | ||
| 122 | + end | ||
| 123 | + | ||
| 124 | + should 'filter html from economic_activity' do | ||
| 125 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :economic_activity => '<b>economic_activity</b>' } | ||
| 126 | + assert_sanitized assigns(:create_enterprise).economic_activity | ||
| 127 | + end | ||
| 128 | + | ||
| 129 | + should 'filter html from management_information' do | ||
| 130 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :management_information => '<b>management_information</b>' } | ||
| 131 | + assert_sanitized assigns(:create_enterprise).management_information | ||
| 132 | + end | ||
| 133 | + | ||
| 89 | end | 134 | end |
test/functional/enterprise_validation_test.rb
| @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase | @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase | ||
| 124 | info = ValidationInfo.new(:validation_methodology => 'none') | 124 | info = ValidationInfo.new(:validation_methodology => 'none') |
| 125 | @org.expects(:validation_info).returns(info) | 125 | @org.expects(:validation_info).returns(info) |
| 126 | post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} | 126 | post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} |
| 127 | - | ||
| 128 | - assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>' | 127 | + assert_sanitized assigns(:info).validation_methodology |
| 129 | end | 128 | end |
| 130 | 129 | ||
| 131 | should 'filter html from restriction of the validation info' do | 130 | should 'filter html from restriction of the validation info' do |
| 132 | info = ValidationInfo.new(:validation_methodology => 'none') | 131 | info = ValidationInfo.new(:validation_methodology => 'none') |
| 133 | @org.expects(:validation_info).returns(info) | 132 | @org.expects(:validation_info).returns(info) |
| 134 | post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} | 133 | post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} |
| 135 | - | ||
| 136 | - assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>' | 134 | + assert_sanitized assigns(:info).restrictions |
| 137 | end | 135 | end |
| 138 | 136 | ||
| 139 | end | 137 | end |
test/functional/manage_products_controller_test.rb
| @@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase | @@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase | ||
| 172 | should 'filter html from name of product' do | 172 | should 'filter html from name of product' do |
| 173 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) | 173 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
| 174 | post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } | 174 | post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } |
| 175 | - assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>" | 175 | + assert_sanitized assigns(:product).name |
| 176 | end | 176 | end |
| 177 | 177 | ||
| 178 | should 'filter html from description of product' do | 178 | should 'filter html from description of product' do |
| 179 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) | 179 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
| 180 | post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } | 180 | post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } |
| 181 | - assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>" | 181 | + assert_sanitized assigns(:product).description |
| 182 | end | 182 | end |
| 183 | 183 | ||
| 184 | end | 184 | end |
test/functional/memberships_controller_test.rb
| @@ -5,6 +5,7 @@ require 'memberships_controller' | @@ -5,6 +5,7 @@ require 'memberships_controller' | ||
| 5 | class MembershipsController; def rescue_action(e) raise e end; end | 5 | class MembershipsController; def rescue_action(e) raise e end; end |
| 6 | 6 | ||
| 7 | class MembershipsControllerTest < Test::Unit::TestCase | 7 | class MembershipsControllerTest < Test::Unit::TestCase |
| 8 | + | ||
| 8 | def setup | 9 | def setup |
| 9 | @controller = MembershipsController.new | 10 | @controller = MembershipsController.new |
| 10 | @request = ActionController::TestRequest.new | 11 | @request = ActionController::TestRequest.new |
| @@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase | @@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase | ||
| 61 | assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } | 62 | assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } |
| 62 | end | 63 | end |
| 63 | 64 | ||
| 65 | + should 'filter html from name' do | ||
| 66 | + login_as(profile.identifier) | ||
| 67 | + post :new_community, :profile => profile.identifier, :community => { :name => '<b>new</b> community' } | ||
| 68 | + assert_sanitized assigns(:community).name | ||
| 69 | + end | ||
| 70 | + | ||
| 71 | + should 'filter html from description' do | ||
| 72 | + login_as(profile.identifier) | ||
| 73 | + post :new_community, :profile => profile.identifier, :community => { :name => 'new community', :description => '<b>new</b> community' } | ||
| 74 | + assert_sanitized assigns(:community).description | ||
| 75 | + end | ||
| 76 | + | ||
| 64 | end | 77 | end |
test/functional/profile_editor_controller_test.rb
| @@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase | @@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase | ||
| 96 | person = create_user('test_profile').person | 96 | person = create_user('test_profile').person |
| 97 | name = "name <strong id='name_html_test'>with</strong> html" | 97 | name = "name <strong id='name_html_test'>with</strong> html" |
| 98 | post :edit, :profile => person.identifier, :info => { :name => name } | 98 | post :edit, :profile => person.identifier, :info => { :name => name } |
| 99 | - assert_not_equal name, assigns(:profile).info.name | 99 | + assert_sanitized assigns(:profile).info.name |
| 100 | end | 100 | end |
| 101 | 101 | ||
| 102 | should 'filter html from contact_person to organization' do | 102 | should 'filter html from contact_person to organization' do |
| 103 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 103 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 104 | contact = "name <strong id='name_html_test'>with</strong> html" | 104 | contact = "name <strong id='name_html_test'>with</strong> html" |
| 105 | post :edit, :profile => org.identifier, :info => { :contact_person => contact } | 105 | post :edit, :profile => org.identifier, :info => { :contact_person => contact } |
| 106 | - assert_not_equal contact, assigns(:profile).info.contact_person | 106 | + assert_sanitized assigns(:profile).info.contact_person |
| 107 | end | 107 | end |
| 108 | 108 | ||
| 109 | should 'filter html from acronym organization' do | 109 | should 'filter html from acronym organization' do |
| 110 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 110 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 111 | value = "name <strong id='name_html_test'>with</strong> html" | 111 | value = "name <strong id='name_html_test'>with</strong> html" |
| 112 | post :edit, :profile => org.identifier, :info => { :acronym => value } | 112 | post :edit, :profile => org.identifier, :info => { :acronym => value } |
| 113 | - assert_not_equal value, assigns(:profile).info.acronym | 113 | + assert_sanitized assigns(:profile).info.acronym |
| 114 | end | 114 | end |
| 115 | 115 | ||
| 116 | should 'filter html from legal_form organization' do | 116 | should 'filter html from legal_form organization' do |
| 117 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 117 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 118 | value = "name <strong id='name_html_test'>with</strong> html" | 118 | value = "name <strong id='name_html_test'>with</strong> html" |
| 119 | post :edit, :profile => org.identifier, :info => { :legal_form => value } | 119 | post :edit, :profile => org.identifier, :info => { :legal_form => value } |
| 120 | - assert_not_equal value, assigns(:profile).info.legal_form | 120 | + assert_sanitized assigns(:profile).info.legal_form |
| 121 | end | 121 | end |
| 122 | 122 | ||
| 123 | should 'filter html from economic_activity organization' do | 123 | should 'filter html from economic_activity organization' do |
| 124 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 124 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 125 | value = "name <strong id='name_html_test'>with</strong> html" | 125 | value = "name <strong id='name_html_test'>with</strong> html" |
| 126 | post :edit, :profile => org.identifier, :info => { :economic_activity => value } | 126 | post :edit, :profile => org.identifier, :info => { :economic_activity => value } |
| 127 | - assert_not_equal value, assigns(:profile).info.economic_activity | 127 | + assert_sanitized assigns(:profile).info.economic_activity |
| 128 | end | 128 | end |
| 129 | 129 | ||
| 130 | should 'filter html from management_information organization' do | 130 | should 'filter html from management_information organization' do |
| 131 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 131 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
| 132 | value = "name <strong id='name_html_test'>with</strong> html" | 132 | value = "name <strong id='name_html_test'>with</strong> html" |
| 133 | post :edit, :profile => org.identifier, :info => { :management_information => value } | 133 | post :edit, :profile => org.identifier, :info => { :management_information => value } |
| 134 | - assert_not_equal value, assigns(:profile).info.management_information | 134 | + assert_sanitized assigns(:profile).info.management_information |
| 135 | end | 135 | end |
| 136 | 136 | ||
| 137 | end | 137 | end |
test/test_helper.rb
| @@ -135,6 +135,11 @@ class Test::Unit::TestCase | @@ -135,6 +135,11 @@ class Test::Unit::TestCase | ||
| 135 | assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" | 135 | assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" |
| 136 | end | 136 | end |
| 137 | 137 | ||
| 138 | + # this check only if string has html tag | ||
| 139 | + def assert_sanitized(string) | ||
| 140 | + assert_no_match /<[^>]+\/?>/, string, "String #{string} expected to be sanitized" | ||
| 141 | + end | ||
| 142 | + | ||
| 138 | private | 143 | private |
| 139 | 144 | ||
| 140 | def uses_host(name) | 145 | def uses_host(name) |