Merge branch 'api' of https://gitlab.com/participa/noosfero into api

Evandro Junior
2 parents c074e362 ef5a4c0a
Showing 3 changed files with 36 additions and 27 deletions Show diff stats
lib/noosfero/api/helpers.rb
lib/sanitize_params.rb
test/fixtures/article_followers.yml
@@ -4,6 +4,8 @@
       PRIVATE_TOKEN_PARAM = :private_token
       ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
  
+      include SanitizeParams
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
@@ -2,33 +2,40 @@ module SanitizeParams
  
   protected
  
-  # Check each request parameter for 
-  # improper HTML or Script tags
-  def sanitize_params
-    request.params.each { |k, v|
-      if v.is_a?(String)        
-        params[k] = sanitize_param v
-      elsif v.is_a?(Array)
-        params[k] = sanitize_array v
-      end
-    }
-  end
+    # Check each request parameter for 
+    # improper HTML or Script tags
+    def sanitize_params
+      sanitize_params_hash(request.params)    
+    end
  
-  # If the parameter was an array, 
-  # try to sanitize each element in the array
-  def sanitize_array(array)
-    array.map! { |e| 
-      if e.is_a?(String)
-        sanitize_param e
-      end
-    }
-    return array
-  end
+    # Given a params list sanitize all
+    def sanitize_params_hash(params)
+      params.each { |k, v|
+        if v.is_a?(String)        
+          params[k] = sanitize_param v
+        elsif v.is_a?(Array)
+          params[k] = sanitize_array v
+        elsif v.kind_of?(Hash)
+          params[k] = sanitize_params_hash(v)
+        end
+      }    
+    end
  
-  # Santitize a single value
-  def sanitize_param(value)
-    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
-    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
-  end
+    # If the parameter was an array, 
+    # try to sanitize each element in the array
+    def sanitize_array(array)
+      array.map! { |e| 
+        if e.is_a?(String)
+          sanitize_param e
+        end
+      }
+      return array
+    end
+
+    # Santitize a single value
+    def sanitize_param(value)
+      allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+      ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+    end
  
 end    
@@ -6,6 +6,6 @@ one:
   since: 2015-06-16 17:02:01
  
 two:
-  person_id: 1
+  person_id: 2
   article_id: 1
   since: 2015-06-16 17:02:01
...	...	@@ -4,6 +4,8 @@
4	4	PRIVATE_TOKEN_PARAM = :private_token
5	5	ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
6	6
	7	+ include SanitizeParams
	8	+
7	9	def current_user
8	10	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
9	11	@current_user \|\|= User.find_by_private_token(private_token)
...	...
...	...	@@ -2,33 +2,40 @@ module SanitizeParams
2	2
3	3	protected
4	4
5		- # Check each request parameter for
6		- # improper HTML or Script tags
7		- def sanitize_params
8		- request.params.each { \|k, v\|
9		- if v.is_a?(String)
10		- params[k] = sanitize_param v
11		- elsif v.is_a?(Array)
12		- params[k] = sanitize_array v
13		- end
14		- }
15		- end
	5	+ # Check each request parameter for
	6	+ # improper HTML or Script tags
	7	+ def sanitize_params
	8	+ sanitize_params_hash(request.params)
	9	+ end
16	10
17		- # If the parameter was an array,
18		- # try to sanitize each element in the array
19		- def sanitize_array(array)
20		- array.map! { \|e\|
21		- if e.is_a?(String)
22		- sanitize_param e
23		- end
24		- }
25		- return array
26		- end
	11	+ # Given a params list sanitize all
	12	+ def sanitize_params_hash(params)
	13	+ params.each { \|k, v\|
	14	+ if v.is_a?(String)
	15	+ params[k] = sanitize_param v
	16	+ elsif v.is_a?(Array)
	17	+ params[k] = sanitize_array v
	18	+ elsif v.kind_of?(Hash)
	19	+ params[k] = sanitize_params_hash(v)
	20	+ end
	21	+ }
	22	+ end
27	23
28		- # Santitize a single value
29		- def sanitize_param(value)
30		- allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
31		- ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
32		- end
	24	+ # If the parameter was an array,
	25	+ # try to sanitize each element in the array
	26	+ def sanitize_array(array)
	27	+ array.map! { \|e\|
	28	+ if e.is_a?(String)
	29	+ sanitize_param e
	30	+ end
	31	+ }
	32	+ return array
	33	+ end
	34	+
	35	+ # Santitize a single value
	36	+ def sanitize_param(value)
	37	+ allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
	38	+ ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
	39	+ end
33	40
34	41	end
...	...
...	...	@@ -6,6 +6,6 @@ one:
6	6	since: 2015-06-16 17:02:01
7	7
8	8	two:
9		- person_id: 1
	9	+ person_id: 2
10	10	article_id: 1
11	11	since: 2015-06-16 17:02:01
...	...