diff --git a/lib/proposals_discussion_plugin/api.rb b/lib/proposals_discussion_plugin/api.rb
index da8257d..a61d346 100644
--- a/lib/proposals_discussion_plugin/api.rb
+++ b/lib/proposals_discussion_plugin/api.rb
@@ -1,5 +1,6 @@
class ProposalsDiscussionPlugin::API < Grape::API
+
resource :proposals_discussion_plugin do
paginate per_page: 10, max_per_page: 20
@@ -23,6 +24,8 @@ class ProposalsDiscussionPlugin::API < Grape::API
end
post ':id/propose' do
+ sanitize_params_hash(params)
+
parent_article = environment.articles.find(params[:id])
proposal_task = ProposalsDiscussionPlugin::ProposalTask.new
@@ -37,7 +40,5 @@ class ProposalsDiscussionPlugin::API < Grape::API
{:success => true}
#present proposal_task, :with => Entities::Task, :fields => params[:fields]
end
-
end
-
end
diff --git a/test/unit/api_test.rb b/test/unit/api_test.rb
index e352fd3..9399eb6 100644
--- a/test/unit/api_test.rb
+++ b/test/unit/api_test.rb
@@ -45,4 +45,22 @@ class APITest < ActiveSupport::TestCase
assert json['success']
end
+ should 'sanitize proposal' do
+ discussion = fast_create(ProposalsDiscussionPlugin::Discussion, :profile_id => user.person.id)
+ topic = fast_create(ProposalsDiscussionPlugin::Topic,
+ :profile_id => user.person.id,
+ :parent_id => discussion.id)
+ params[:article] = {:name => "Proposal name", :abstract => "Proposal abstract",
+ :type => 'ProposalsDiscussionPlugin::Proposal',
+ :body => "This is a malicious body 
SearchParam"}
+ assert_difference "ProposalsDiscussionPlugin::ProposalTask.count" do
+ post "/api/v1/proposals_discussion_plugin/#{topic.id}/propose?#{params.to_query}"
+ end
+ json = JSON.parse(last_response.body)
+ assert json['success']
+ task = Task.last
+ assert_equal "Proposal Test abstract", task.abstract
+ assert_equal "This is a malicious body SearchParam", task.article.body
+ end
+
end
--
libgit2 0.21.2