Commit ef5a4c0a3f822f7d9e57c0d21bd1e672ba518a29
1 parent
1149736b
Exists in
theme-brasil-digital-from-staging
and in
9 other branches
Added sanitize to api/proposal
Showing
2 changed files
with
34 additions
and
30 deletions
Show diff stats
lib/noosfero/api/helpers.rb
| @@ -4,6 +4,8 @@ | @@ -4,6 +4,8 @@ | ||
| 4 | PRIVATE_TOKEN_PARAM = :private_token | 4 | PRIVATE_TOKEN_PARAM = :private_token |
| 5 | ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type] | 5 | ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type] |
| 6 | 6 | ||
| 7 | + include SanitizeParams | ||
| 8 | + | ||
| 7 | def current_user | 9 | def current_user |
| 8 | private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s | 10 | private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s |
| 9 | @current_user ||= User.find_by_private_token(private_token) | 11 | @current_user ||= User.find_by_private_token(private_token) |
lib/sanitize_params.rb
| @@ -2,38 +2,40 @@ module SanitizeParams | @@ -2,38 +2,40 @@ module SanitizeParams | ||
| 2 | 2 | ||
| 3 | protected | 3 | protected |
| 4 | 4 | ||
| 5 | - # Check each request parameter for | ||
| 6 | - # improper HTML or Script tags | ||
| 7 | - def sanitize_params | ||
| 8 | - sanitize_params_array(request.params) | ||
| 9 | - end | 5 | + # Check each request parameter for |
| 6 | + # improper HTML or Script tags | ||
| 7 | + def sanitize_params | ||
| 8 | + sanitize_params_hash(request.params) | ||
| 9 | + end | ||
| 10 | 10 | ||
| 11 | - # Given a params list sanitize all | ||
| 12 | - def sanitize_params_array(params) | ||
| 13 | - params.each { |k, v| | ||
| 14 | - if v.is_a?(String) | ||
| 15 | - params[k] = sanitize_param v | ||
| 16 | - elsif v.is_a?(Array) | ||
| 17 | - params[k] = sanitize_array v | ||
| 18 | - end | ||
| 19 | - } | ||
| 20 | - end | 11 | + # Given a params list sanitize all |
| 12 | + def sanitize_params_hash(params) | ||
| 13 | + params.each { |k, v| | ||
| 14 | + if v.is_a?(String) | ||
| 15 | + params[k] = sanitize_param v | ||
| 16 | + elsif v.is_a?(Array) | ||
| 17 | + params[k] = sanitize_array v | ||
| 18 | + elsif v.kind_of?(Hash) | ||
| 19 | + params[k] = sanitize_params_hash(v) | ||
| 20 | + end | ||
| 21 | + } | ||
| 22 | + end | ||
| 21 | 23 | ||
| 22 | - # If the parameter was an array, | ||
| 23 | - # try to sanitize each element in the array | ||
| 24 | - def sanitize_array(array) | ||
| 25 | - array.map! { |e| | ||
| 26 | - if e.is_a?(String) | ||
| 27 | - sanitize_param e | ||
| 28 | - end | ||
| 29 | - } | ||
| 30 | - return array | ||
| 31 | - end | 24 | + # If the parameter was an array, |
| 25 | + # try to sanitize each element in the array | ||
| 26 | + def sanitize_array(array) | ||
| 27 | + array.map! { |e| | ||
| 28 | + if e.is_a?(String) | ||
| 29 | + sanitize_param e | ||
| 30 | + end | ||
| 31 | + } | ||
| 32 | + return array | ||
| 33 | + end | ||
| 32 | 34 | ||
| 33 | - # Santitize a single value | ||
| 34 | - def sanitize_param(value) | ||
| 35 | - allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | ||
| 36 | - ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | ||
| 37 | - end | 35 | + # Santitize a single value |
| 36 | + def sanitize_param(value) | ||
| 37 | + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | ||
| 38 | + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | ||
| 39 | + end | ||
| 38 | 40 | ||
| 39 | end | 41 | end |