diff --git a/app/controllers/my_profile/enterprise_validation_controller.rb b/app/controllers/my_profile/enterprise_validation_controller.rb
index c34a6d0..70ff146 100644
--- a/app/controllers/my_profile/enterprise_validation_controller.rb
+++ b/app/controllers/my_profile/enterprise_validation_controller.rb
@@ -60,4 +60,15 @@ class EnterpriseValidationController < MyProfileController
end
end
+ private
+
+ require 'erb'
+ include ERB::Util
+ def sanitize
+ if params[:info]
+ params[:info][:validation_methodology] = html_escape(params[:info][:validation_methodology]) if params[:info][:validation_methodology]
+ params[:info][:restrictions] = html_escape(params[:info][:restrictions]) if params[:info][:restrictions]
+ end
+ end
+
end
diff --git a/test/functional/enterprise_validation_test.rb b/test/functional/enterprise_validation_test.rb
index d51f8ec..f00f7db 100644
--- a/test/functional/enterprise_validation_test.rb
+++ b/test/functional/enterprise_validation_test.rb
@@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
should 'save an alteration of the validation info' do
info = ValidationInfo.new(:validation_methodology => 'none')
@org.expects(:validation_info).returns(info)
- post :edit_validation_info, :profile => 'myorg', :validation_info => {:validatin_methodology => 'new methodaology'}
+ post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
assert_response :redirect
assert_redirected_to :action => 'index'
@@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
assert_equal info, assigns(:info)
end
+ should 'filter html from methodology of the validation info' do
+ info = ValidationInfo.new(:validation_methodology => 'none')
+ @org.expects(:validation_info).returns(info)
+ post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
+
+ assert_not_equal assigns(:info).validation_methodology, 'new methodology'
+ end
+
+ should 'filter html from restriction of the validation info' do
+ info = ValidationInfo.new(:validation_methodology => 'none')
+ @org.expects(:validation_info).returns(info)
+ post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new methodology'}
+
+ assert_not_equal assigns(:info).restrictions, 'new methodology'
+ end
+
end
--
libgit2 0.21.2