Download as
Browse Code »

Commit 95f84d2d7aadcd71f8b0b234e196e784eda713c3

Authored by Evandro Junior
2 parents c074e362 ef5a4c0a
Exists in theme-brasil-digital-from-staging and in 9 other branches angular_poc, api-article-archived, backup-7-jan-2016, captcha_serpro_plugin, login-captcha, production, resend_confirmation_email, staging, staging_rails3

Merge branch 'api' of https://gitlab.com/participa/noosfero into api

Showing 3 changed files with 36 additions and 27 deletions   Show diff stats
lib/noosfero/api/helpers.rb
  Diff comments   View file @95f84d2
@@ -4,6 +4,8 @@ @@ -4,6 +4,8 @@
4 PRIVATE_TOKEN_PARAM = :private_token 4 PRIVATE_TOKEN_PARAM = :private_token
5 ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type] 5 ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
6 6
  7 + include SanitizeParams
  8 +
7 def current_user 9 def current_user
8 private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s 10 private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
9 @current_user ||= User.find_by_private_token(private_token) 11 @current_user ||= User.find_by_private_token(private_token)
lib/sanitize_params.rb
  Diff comments   View file @95f84d2
@@ -2,33 +2,40 @@ module SanitizeParams @@ -2,33 +2,40 @@ module SanitizeParams
2 2
3 protected 3 protected
4 4
5 - # Check each request parameter for  
6 - # improper HTML or Script tags  
7 - def sanitize_params  
8 - request.params.each { |k, v|  
9 - if v.is_a?(String)  
10 - params[k] = sanitize_param v  
11 - elsif v.is_a?(Array)  
12 - params[k] = sanitize_array v  
13 - end  
14 - }  
15 - end 5 + # Check each request parameter for
  6 + # improper HTML or Script tags
  7 + def sanitize_params
  8 + sanitize_params_hash(request.params)
  9 + end
16 10
17 - # If the parameter was an array,  
18 - # try to sanitize each element in the array  
19 - def sanitize_array(array)  
20 - array.map! { |e|  
21 - if e.is_a?(String)  
22 - sanitize_param e  
23 - end  
24 - }  
25 - return array  
26 - end 11 + # Given a params list sanitize all
  12 + def sanitize_params_hash(params)
  13 + params.each { |k, v|
  14 + if v.is_a?(String)
  15 + params[k] = sanitize_param v
  16 + elsif v.is_a?(Array)
  17 + params[k] = sanitize_array v
  18 + elsif v.kind_of?(Hash)
  19 + params[k] = sanitize_params_hash(v)
  20 + end
  21 + }
  22 + end
27 23
28 - # Santitize a single value  
29 - def sanitize_param(value)  
30 - allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)  
31 - ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))  
32 - end 24 + # If the parameter was an array,
  25 + # try to sanitize each element in the array
  26 + def sanitize_array(array)
  27 + array.map! { |e|
  28 + if e.is_a?(String)
  29 + sanitize_param e
  30 + end
  31 + }
  32 + return array
  33 + end
  34 +
  35 + # Santitize a single value
  36 + def sanitize_param(value)
  37 + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
  38 + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
  39 + end
33 40
34 end 41 end
test/fixtures/article_followers.yml
  Diff comments   View file @95f84d2
@@ -6,6 +6,6 @@ one: @@ -6,6 +6,6 @@ one:
6 since: 2015-06-16 17:02:01 6 since: 2015-06-16 17:02:01
7 7
8 two: 8 two:
9 - person_id: 1 9 + person_id: 2
10 article_id: 1 10 article_id: 1
11 since: 2015-06-16 17:02:01 11 since: 2015-06-16 17:02:01