Commit bd12b0b05f853fbaa202f880a505e3178f04e663
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
Merge branch 'master' into stable
Showing
4 changed files
with
18 additions
and
2 deletions
Show diff stats
app/models/event.rb
| @@ -19,7 +19,7 @@ class Event < Article | @@ -19,7 +19,7 @@ class Event < Article | ||
| 19 | maybe_add_http(self.setting[:link]) | 19 | maybe_add_http(self.setting[:link]) |
| 20 | end | 20 | end |
| 21 | 21 | ||
| 22 | - xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' | 22 | + xss_terminate :only => [ :name, :body, :link, :address ], :with => 'white_list', :on => 'validation' |
| 23 | 23 | ||
| 24 | def initialize(*args) | 24 | def initialize(*args) |
| 25 | super(*args) | 25 | super(*args) |
app/models/folder.rb
| @@ -12,7 +12,7 @@ class Folder < Article | @@ -12,7 +12,7 @@ class Folder < Article | ||
| 12 | 12 | ||
| 13 | acts_as_having_settings :field => :setting | 13 | acts_as_having_settings :field => :setting |
| 14 | 14 | ||
| 15 | - xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation' | 15 | + xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation' |
| 16 | 16 | ||
| 17 | include WhiteListFilter | 17 | include WhiteListFilter |
| 18 | filter_iframes :body | 18 | filter_iframes :body |
test/unit/event_test.rb
| @@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase | @@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase | ||
| 155 | assert_no_tag_in_string e.body, :tag => 'script' | 155 | assert_no_tag_in_string e.body, :tag => 'script' |
| 156 | end | 156 | end |
| 157 | 157 | ||
| 158 | + should 'filter HTML in name' do | ||
| 159 | + profile = create_user('testuser').person | ||
| 160 | + e = create(Event, :profile => profile, :name => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today) | ||
| 161 | + | ||
| 162 | + assert_tag_in_string e.name, :tag => 'p', :content => 'a paragraph (valid)' | ||
| 163 | + assert_no_tag_in_string e.name, :tag => 'script' | ||
| 164 | + end | ||
| 165 | + | ||
| 158 | should 'nil to link' do | 166 | should 'nil to link' do |
| 159 | e = Event.new | 167 | e = Event.new |
| 160 | assert_nothing_raised TypeError do | 168 | assert_nothing_raised TypeError do |
test/unit/folder_test.rb
| @@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase | @@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase | ||
| 100 | assert_includes folder.images(true), community.articles.find_by_name('rails.png') | 100 | assert_includes folder.images(true), community.articles.find_by_name('rails.png') |
| 101 | end | 101 | end |
| 102 | 102 | ||
| 103 | + should 'not let pass javascript in the name' do | ||
| 104 | + folder = Folder.new | ||
| 105 | + folder.name = "<script> alert(Xss!); </script>" | ||
| 106 | + folder.valid? | ||
| 107 | + | ||
| 108 | + assert_no_match /(<script>)/, folder.name | ||
| 109 | + end | ||
| 110 | + | ||
| 103 | should 'not let pass javascript in the body' do | 111 | should 'not let pass javascript in the body' do |
| 104 | folder = Folder.new | 112 | folder = Folder.new |
| 105 | folder.body = "<script> alert(Xss!); </script>" | 113 | folder.body = "<script> alert(Xss!); </script>" |