virtuoso: strip tags from rdf content

Victor Costa
1 parent 170a723e
Showing 2 changed files with 12 additions and 1 deletions Show diff stats
plugins/virtuoso/lib/ext/literal.rb
plugins/virtuoso/test/unit/triples_template_test.rb
 class RDF::Literal
  
+  include ActionView::Helpers::SanitizeHelper
+
   def to_liquid
-    value
+    strip_tags(value)
   end
  
 end
@@ -38,4 +38,13 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
     assert_match /<p style="color:red">World<\/p>/, content
   end
  
+  should 'do not allow js injection' do
+    article.stubs(:plugin).returns(mock)
+    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
+    article.template = "{% for row in results %}{{row.var}}{% endfor %}"
+
+    assert_no_match /<script>/, article.template_content
+  end
+
 end
1	1	class RDF::Literal
2	2
	3	+ include ActionView::Helpers::SanitizeHelper
	4	+
3	5	def to_liquid
4		- value
	6	+ strip_tags(value)
5	7	end
6	8
7	9	end
...	...
...	...	@@ -38,4 +38,13 @@ class TriplesTemplateTest < ActiveSupport::TestCase
38	38	assert_match /<p style="color:red">World<\/p>/, content
39	39	end
40	40
	41	+ should 'do not allow js injection' do
	42	+ article.stubs(:plugin).returns(mock)
	43	+ article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
	44	+ article.plugin.virtuoso_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
	45	+ article.template = "{% for row in results %}{{row.var}}{% endfor %}"
	46	+
	47	+ assert_no_match /<script>/, article.template_content
	48	+ end
	49	+
41	50	end
...	...