virtuoso: strip tags from rdf content

Victor Costa
1 parent 170a723e
Showing 2 changed files with 12 additions and 1 deletions Show diff stats
plugins/virtuoso/lib/ext/literal.rb
plugins/virtuoso/test/unit/triples_template_test.rb
 class RDF::Literal
+  include ActionView::Helpers::SanitizeHelper
+
   def to_liquid
-    value
+    strip_tags(value)
   end
 end
@@ -38,4 +38,13 @@ class TriplesTemplateTest &lt; ActiveSupport::TestCase
     assert_match /<p style="color:red">World<\/p>/, content
   end
+  should 'do not allow js injection' do
+    article.stubs(:plugin).returns(mock)
+    article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
+    article.plugin.virtuoso_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
+    article.template = "{% for row in results %}{{row.var}}{% endfor %}"
+
+    assert_no_match /<script>/, article.template_content
+  end
+
 end
1	class RDF::Literal	1	class RDF::Literal
2		2
		3	+ include ActionView::Helpers::SanitizeHelper
		4	+
3	def to_liquid	5	def to_liquid
4	- value	6	+ strip_tags(value)
5	end	7	end
6		8
7	end	9	end
	@@ -38,4 +38,13 @@ class TriplesTemplateTest < ActiveSupport::TestCase		@@ -38,4 +38,13 @@ class TriplesTemplateTest < ActiveSupport::TestCase
38	assert_match /<p style="color:red">World<\/p>/, content	38	assert_match /<p style="color:red">World<\/p>/, content
39	end	39	end
40		40
		41	+ should 'do not allow js injection' do
		42	+ article.stubs(:plugin).returns(mock)
		43	+ article.plugin.expects(:virtuoso_client).at_least_once.returns(mock)
		44	+ article.plugin.virtuoso_client.expects(:query).returns([{'var' => RDF::Literal.new('<script>alert("hello");</script>')}])
		45	+ article.template = "{% for row in results %}{{row.var}}{% endfor %}"
		46	+
		47	+ assert_no_match /<script>/, article.template_content
		48	+ end
		49	+
41	end	50	end