Commit 3ecd98a31bdb7af32f5c994f644d2c99e9edc9c8
1 parent
83da31b0
Exists in
master
and in
8 other branches
Added sanitize to api/proposal
Showing
2 changed files
with
21 additions
and
2 deletions
Show diff stats
lib/proposals_discussion_plugin/api.rb
| 1 | class ProposalsDiscussionPlugin::API < Grape::API | 1 | class ProposalsDiscussionPlugin::API < Grape::API |
| 2 | 2 | ||
| 3 | + | ||
| 3 | resource :proposals_discussion_plugin do | 4 | resource :proposals_discussion_plugin do |
| 4 | 5 | ||
| 5 | paginate per_page: 10, max_per_page: 20 | 6 | paginate per_page: 10, max_per_page: 20 |
| @@ -23,6 +24,8 @@ class ProposalsDiscussionPlugin::API < Grape::API | @@ -23,6 +24,8 @@ class ProposalsDiscussionPlugin::API < Grape::API | ||
| 23 | end | 24 | end |
| 24 | 25 | ||
| 25 | post ':id/propose' do | 26 | post ':id/propose' do |
| 27 | + sanitize_params_hash(params) | ||
| 28 | + | ||
| 26 | parent_article = environment.articles.find(params[:id]) | 29 | parent_article = environment.articles.find(params[:id]) |
| 27 | 30 | ||
| 28 | proposal_task = ProposalsDiscussionPlugin::ProposalTask.new | 31 | proposal_task = ProposalsDiscussionPlugin::ProposalTask.new |
| @@ -37,7 +40,5 @@ class ProposalsDiscussionPlugin::API < Grape::API | @@ -37,7 +40,5 @@ class ProposalsDiscussionPlugin::API < Grape::API | ||
| 37 | {:success => true} | 40 | {:success => true} |
| 38 | #present proposal_task, :with => Entities::Task, :fields => params[:fields] | 41 | #present proposal_task, :with => Entities::Task, :fields => params[:fields] |
| 39 | end | 42 | end |
| 40 | - | ||
| 41 | end | 43 | end |
| 42 | - | ||
| 43 | end | 44 | end |
test/unit/api_test.rb
| @@ -45,4 +45,22 @@ class APITest < ActiveSupport::TestCase | @@ -45,4 +45,22 @@ class APITest < ActiveSupport::TestCase | ||
| 45 | assert json['success'] | 45 | assert json['success'] |
| 46 | end | 46 | end |
| 47 | 47 | ||
| 48 | + should 'sanitize proposal' do | ||
| 49 | + discussion = fast_create(ProposalsDiscussionPlugin::Discussion, :profile_id => user.person.id) | ||
| 50 | + topic = fast_create(ProposalsDiscussionPlugin::Topic, | ||
| 51 | + :profile_id => user.person.id, | ||
| 52 | + :parent_id => discussion.id) | ||
| 53 | + params[:article] = {:name => "Proposal name", :abstract => "Proposal <iframe>Test</iframe> abstract", | ||
| 54 | + :type => 'ProposalsDiscussionPlugin::Proposal', | ||
| 55 | + :body => "This is a malicious body <iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam"} | ||
| 56 | + assert_difference "ProposalsDiscussionPlugin::ProposalTask.count" do | ||
| 57 | + post "/api/v1/proposals_discussion_plugin/#{topic.id}/propose?#{params.to_query}" | ||
| 58 | + end | ||
| 59 | + json = JSON.parse(last_response.body) | ||
| 60 | + assert json['success'] | ||
| 61 | + task = Task.last | ||
| 62 | + assert_equal "Proposal Test abstract", task.abstract | ||
| 63 | + assert_equal "This is a malicious body SearchParam", task.article.body | ||
| 64 | + end | ||
| 65 | + | ||
| 48 | end | 66 | end |