From ef5a4c0a3f822f7d9e57c0d21bd1e672ba518a29 Mon Sep 17 00:00:00 2001
From: Carlos Purificacao <carloseugenio@gmail.com>
Date: Mon, 6 Jul 2015 17:00:53 -0300
Subject: [PATCH] Added sanitize to api/proposal

---
 lib/noosfero/api/helpers.rb |  2 ++
 lib/sanitize_params.rb      | 62 ++++++++++++++++++++++++++++++++------------------------------
 2 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index f741bda..a440ec0 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -4,6 +4,8 @@
       PRIVATE_TOKEN_PARAM = :private_token
       ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type]
 
+      include SanitizeParams
+
       def current_user
         private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s
         @current_user ||= User.find_by_private_token(private_token)
diff --git a/lib/sanitize_params.rb b/lib/sanitize_params.rb
index 3e5f4da..676bc6a 100644
--- a/lib/sanitize_params.rb
+++ b/lib/sanitize_params.rb
@@ -2,38 +2,40 @@ module SanitizeParams
 
   protected
 
-  # Check each request parameter for 
-  # improper HTML or Script tags
-  def sanitize_params
-    sanitize_params_array(request.params)    
-  end
+    # Check each request parameter for 
+    # improper HTML or Script tags
+    def sanitize_params
+      sanitize_params_hash(request.params)    
+    end
 
-  # Given a params list sanitize all
-  def sanitize_params_array(params)
-    params.each { |k, v|
-      if v.is_a?(String)        
-        params[k] = sanitize_param v
-      elsif v.is_a?(Array)
-        params[k] = sanitize_array v
-      end
-    }    
-  end
+    # Given a params list sanitize all
+    def sanitize_params_hash(params)
+      params.each { |k, v|
+        if v.is_a?(String)        
+          params[k] = sanitize_param v
+        elsif v.is_a?(Array)
+          params[k] = sanitize_array v
+        elsif v.kind_of?(Hash)
+          params[k] = sanitize_params_hash(v)
+        end
+      }    
+    end
 
-  # If the parameter was an array, 
-  # try to sanitize each element in the array
-  def sanitize_array(array)
-    array.map! { |e| 
-      if e.is_a?(String)
-        sanitize_param e
-      end
-    }
-    return array
-  end
+    # If the parameter was an array, 
+    # try to sanitize each element in the array
+    def sanitize_array(array)
+      array.map! { |e| 
+        if e.is_a?(String)
+          sanitize_param e
+        end
+      }
+      return array
+    end
 
-  # Santitize a single value
-  def sanitize_param(value)
-    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
-    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
-  end
+    # Santitize a single value
+    def sanitize_param(value)
+      allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
+      ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
+    end
 
 end    
--
libgit2 0.21.2