Added sanitize to api/proposal

Carlos Purificação
1 parent 1149736b
Showing 2 changed files with 34 additions and 30 deletions Show diff stats
lib/noosfero/api/helpers.rb
lib/sanitize_params.rb
@@ -4,6 +4,8 @@
       PRIVATE_TOKEN_PARAM = :private_token
       ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
  
+      include SanitizeParams
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
@@ -2,38 +2,40 @@ module SanitizeParams
  
   protected
  
-  # Check each request parameter for 
-  # improper HTML or Script tags
-  def sanitize_params
-    sanitize_params_array(request.params)    
-  end
+    # Check each request parameter for 
+    # improper HTML or Script tags
+    def sanitize_params
+      sanitize_params_hash(request.params)    
+    end
  
-  # Given a params list sanitize all
-  def sanitize_params_array(params)
-    params.each { |k, v|
-      if v.is_a?(String)        
-        params[k] = sanitize_param v
-      elsif v.is_a?(Array)
-        params[k] = sanitize_array v
-      end
-    }    
-  end
+    # Given a params list sanitize all
+    def sanitize_params_hash(params)
+      params.each { |k, v|
+        if v.is_a?(String)        
+          params[k] = sanitize_param v
+        elsif v.is_a?(Array)
+          params[k] = sanitize_array v
+        elsif v.kind_of?(Hash)
+          params[k] = sanitize_params_hash(v)
+        end
+      }    
+    end
  
-  # If the parameter was an array, 
-  # try to sanitize each element in the array
-  def sanitize_array(array)
-    array.map! { |e| 
-      if e.is_a?(String)
-        sanitize_param e
-      end
-    }
-    return array
-  end
+    # If the parameter was an array, 
+    # try to sanitize each element in the array
+    def sanitize_array(array)
+      array.map! { |e| 
+        if e.is_a?(String)
+          sanitize_param e
+        end
+      }
+      return array
+    end
  
-  # Santitize a single value
-  def sanitize_param(value)
-    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
-    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
-  end
+    # Santitize a single value
+    def sanitize_param(value)
+      allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+      ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+    end
  
 end
...	...	@@ -4,6 +4,8 @@
4	4	PRIVATE_TOKEN_PARAM = :private_token
5	5	ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
6	6
	7	+ include SanitizeParams
	8	+
7	9	def current_user
8	10	private_token = (params[PRIVATE_TOKEN_PARAM] \|\| headers['Private-Token']).to_s
9	11	@current_user \|\|= User.find_by_private_token(private_token)
...	...
...	...	@@ -2,38 +2,40 @@ module SanitizeParams
2	2
3	3	protected
4	4
5		- # Check each request parameter for
6		- # improper HTML or Script tags
7		- def sanitize_params
8		- sanitize_params_array(request.params)
9		- end
	5	+ # Check each request parameter for
	6	+ # improper HTML or Script tags
	7	+ def sanitize_params
	8	+ sanitize_params_hash(request.params)
	9	+ end
10	10
11		- # Given a params list sanitize all
12		- def sanitize_params_array(params)
13		- params.each { \|k, v\|
14		- if v.is_a?(String)
15		- params[k] = sanitize_param v
16		- elsif v.is_a?(Array)
17		- params[k] = sanitize_array v
18		- end
19		- }
20		- end
	11	+ # Given a params list sanitize all
	12	+ def sanitize_params_hash(params)
	13	+ params.each { \|k, v\|
	14	+ if v.is_a?(String)
	15	+ params[k] = sanitize_param v
	16	+ elsif v.is_a?(Array)
	17	+ params[k] = sanitize_array v
	18	+ elsif v.kind_of?(Hash)
	19	+ params[k] = sanitize_params_hash(v)
	20	+ end
	21	+ }
	22	+ end
21	23
22		- # If the parameter was an array,
23		- # try to sanitize each element in the array
24		- def sanitize_array(array)
25		- array.map! { \|e\|
26		- if e.is_a?(String)
27		- sanitize_param e
28		- end
29		- }
30		- return array
31		- end
	24	+ # If the parameter was an array,
	25	+ # try to sanitize each element in the array
	26	+ def sanitize_array(array)
	27	+ array.map! { \|e\|
	28	+ if e.is_a?(String)
	29	+ sanitize_param e
	30	+ end
	31	+ }
	32	+ return array
	33	+ end
32	34
33		- # Santitize a single value
34		- def sanitize_param(value)
35		- allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
36		- ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
37		- end
	35	+ # Santitize a single value
	36	+ def sanitize_param(value)
	37	+ allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
	38	+ ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
	39	+ end
38	40
39	41	end
...	...