Commit 95f84d2d7aadcd71f8b0b234e196e784eda713c3
Exists in
staging
and in
4 other branches
Merge branch 'api' of https://gitlab.com/participa/noosfero into api
Showing
3 changed files
with
36 additions
and
27 deletions
Show diff stats
lib/noosfero/api/helpers.rb
| ... | ... | @@ -4,6 +4,8 @@ |
| 4 | 4 | PRIVATE_TOKEN_PARAM = :private_token |
| 5 | 5 | ALLOWED_PARAMETERS = [:parent_id, :from, :until, :content_type] |
| 6 | 6 | |
| 7 | + include SanitizeParams | |
| 8 | + | |
| 7 | 9 | def current_user |
| 8 | 10 | private_token = (params[PRIVATE_TOKEN_PARAM] || headers['Private-Token']).to_s |
| 9 | 11 | @current_user ||= User.find_by_private_token(private_token) | ... | ... |
lib/sanitize_params.rb
| ... | ... | @@ -2,33 +2,40 @@ module SanitizeParams |
| 2 | 2 | |
| 3 | 3 | protected |
| 4 | 4 | |
| 5 | - # Check each request parameter for | |
| 6 | - # improper HTML or Script tags | |
| 7 | - def sanitize_params | |
| 8 | - request.params.each { |k, v| | |
| 9 | - if v.is_a?(String) | |
| 10 | - params[k] = sanitize_param v | |
| 11 | - elsif v.is_a?(Array) | |
| 12 | - params[k] = sanitize_array v | |
| 13 | - end | |
| 14 | - } | |
| 15 | - end | |
| 5 | + # Check each request parameter for | |
| 6 | + # improper HTML or Script tags | |
| 7 | + def sanitize_params | |
| 8 | + sanitize_params_hash(request.params) | |
| 9 | + end | |
| 16 | 10 | |
| 17 | - # If the parameter was an array, | |
| 18 | - # try to sanitize each element in the array | |
| 19 | - def sanitize_array(array) | |
| 20 | - array.map! { |e| | |
| 21 | - if e.is_a?(String) | |
| 22 | - sanitize_param e | |
| 23 | - end | |
| 24 | - } | |
| 25 | - return array | |
| 26 | - end | |
| 11 | + # Given a params list sanitize all | |
| 12 | + def sanitize_params_hash(params) | |
| 13 | + params.each { |k, v| | |
| 14 | + if v.is_a?(String) | |
| 15 | + params[k] = sanitize_param v | |
| 16 | + elsif v.is_a?(Array) | |
| 17 | + params[k] = sanitize_array v | |
| 18 | + elsif v.kind_of?(Hash) | |
| 19 | + params[k] = sanitize_params_hash(v) | |
| 20 | + end | |
| 21 | + } | |
| 22 | + end | |
| 27 | 23 | |
| 28 | - # Santitize a single value | |
| 29 | - def sanitize_param(value) | |
| 30 | - allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | |
| 31 | - ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | |
| 32 | - end | |
| 24 | + # If the parameter was an array, | |
| 25 | + # try to sanitize each element in the array | |
| 26 | + def sanitize_array(array) | |
| 27 | + array.map! { |e| | |
| 28 | + if e.is_a?(String) | |
| 29 | + sanitize_param e | |
| 30 | + end | |
| 31 | + } | |
| 32 | + return array | |
| 33 | + end | |
| 34 | + | |
| 35 | + # Santitize a single value | |
| 36 | + def sanitize_param(value) | |
| 37 | + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | |
| 38 | + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | |
| 39 | + end | |
| 33 | 40 | |
| 34 | 41 | end | ... | ... |