Commit b2745d8aee2180ecac09d7ec29f951bd04582674
1 parent
049db1a4
Exists in
master
and in
23 other branches
Filtering events links only with white_list
(ActionItem2684)
Showing
2 changed files
with
8 additions
and
1 deletions
Show diff stats
app/models/event.rb
| @@ -14,7 +14,6 @@ class Event < Article | @@ -14,7 +14,6 @@ class Event < Article | ||
| 14 | maybe_add_http(self.setting[:link]) | 14 | maybe_add_http(self.setting[:link]) |
| 15 | end | 15 | end |
| 16 | 16 | ||
| 17 | - xss_terminate :only => [ :link ], :on => 'validation' | ||
| 18 | xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' | 17 | xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' |
| 19 | 18 | ||
| 20 | def initialize(*args) | 19 | def initialize(*args) |
test/unit/event_test.rb
| @@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase | @@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase | ||
| 248 | assert_equal "<strong> Address <strong>", event.address | 248 | assert_equal "<strong> Address <strong>", event.address |
| 249 | end | 249 | end |
| 250 | 250 | ||
| 251 | + should 'not filter & on link field' do | ||
| 252 | + event = Event.new | ||
| 253 | + event.link = 'myevent.com/?param1=value¶m2=value2' | ||
| 254 | + event.valid? | ||
| 255 | + | ||
| 256 | + assert_equal "http://myevent.com/?param1=value¶m2=value2", event.link | ||
| 257 | + end | ||
| 258 | + | ||
| 251 | should 'escape malformed html tags' do | 259 | should 'escape malformed html tags' do |
| 252 | event = Event.new | 260 | event = Event.new |
| 253 | event.body = "<h1<< Description >>/h1>" | 261 | event.body = "<h1<< Description >>/h1>" |