diff --git a/app/controllers/my_profile/manage_products_controller.rb b/app/controllers/my_profile/manage_products_controller.rb
index 99cdaa6..7fd68ee 100644
--- a/app/controllers/my_profile/manage_products_controller.rb
+++ b/app/controllers/my_profile/manage_products_controller.rb
@@ -56,5 +56,16 @@ class ManageProductsController < ApplicationController
@categories = @current_category.children
render :partial => 'subcategories'
end
+
+ private
+
+ require 'erb'
+ include ERB::Util
+ def sanitize
+ if params[:product]
+ params[:product][:name] = html_escape(params[:product][:name]) if params[:product][:name]
+ params[:product][:description] = html_escape(params[:product][:description]) if params[:product][:description]
+ end
+ end
end
diff --git a/test/functional/manage_products_controller_test.rb b/test/functional/manage_products_controller_test.rb
index 1a954f4..f82181c 100644
--- a/test/functional/manage_products_controller_test.rb
+++ b/test/functional/manage_products_controller_test.rb
@@ -169,4 +169,16 @@ class ManageProductsControllerTest < Test::Unit::TestCase
assert_tag :tag => 'input', :attributes => { :type => 'file', :name => 'product[image_builder][uploaded_data]' }
end
+ should 'filter html from name of product' do
+ category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
+ post 'new', :profile => @enterprise.identifier, :product => { :name => "name bold", :product_category_id => category.id }
+ assert_not_equal assigns(:product).name, "name bold"
+ end
+
+ should 'filter html from description of product' do
+ category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
+ post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "descr bold", :product_category_id => category.id }
+ assert_not_equal assigns(:product).description, "descr bold"
+ end
+
end
--
libgit2 0.21.2