From 7826abb9adc2531bf33c5c25f2c713e543aa8b5f Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Fri, 14 Nov 2014 17:08:03 -0300
Subject: [PATCH] virtuoso: strip tags from rdf content

---
 plugins/virtuoso/lib/ext/literal.rb                 |  4 +++-
 plugins/virtuoso/test/unit/triples_template_test.rb |  9 +++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/plugins/virtuoso/lib/ext/literal.rb b/plugins/virtuoso/lib/ext/literal.rb
index 9ab34b0..b786720 100644
--- a/plugins/virtuoso/lib/ext/literal.rb
+++ b/plugins/virtuoso/lib/ext/literal.rb
@@ -1,7 +1,9 @@
 class RDF::Literal
 
+  include ActionView::Helpers::SanitizeHelper
+
   def to_liquid
-    value
+    strip_tags(value)
   end
 
 end
diff --git a/plugins/virtuoso/test/unit/triples_template_test.rb b/plugins/virtuoso/test/unit/triples_template_test.rb
index f35be7d..ed20532 100644
--- a/plugins/virtuoso/test/unit/triples_template_test.rb
+++ b/plugins/virtuoso/test/unit/triples_template_test.rb
@@ -38,4 +38,13 @@ class TriplesTemplateTest < ActiveSupport::TestCase
     assert_match /<p style="color:red">World<\/p>/, content
   end
 
+  should 'do not allow js injection' do
+    article.stubs(:plugin).returns(mock)
+    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
+    article.template = "{% for row in results %}{{row.var}}{% endfor %}"
+
+    assert_no_match /<script>/, article.template_content
+  end
+
 end
--
libgit2 0.21.2