Commit 223d26405128a64f624b78e7d4b03565d1e85a69
1 parent
3dcc4419
Exists in
master
and in
4 other branches
Sanitize user attrs on model level
Showing
4 changed files
with
15 additions
and
14 deletions
Show diff stats
Gemfile
| @@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" | @@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" | ||
| 118 | # underscore-rails | 118 | # underscore-rails |
| 119 | gem "underscore-rails", "~> 1.4.4" | 119 | gem "underscore-rails", "~> 1.4.4" |
| 120 | 120 | ||
| 121 | +# Sanitize user input | ||
| 122 | +gem "sanitize" | ||
| 123 | + | ||
| 121 | group :assets do | 124 | group :assets do |
| 122 | gem "sass-rails" | 125 | gem "sass-rails" |
| 123 | gem "coffee-rails" | 126 | gem "coffee-rails" |
Gemfile.lock
app/controllers/profiles_controller.rb
| @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController | @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController | ||
| 17 | end | 17 | end |
| 18 | 18 | ||
| 19 | def update | 19 | def update |
| 20 | - if @user.update_attributes(user_attributes) | 20 | + if @user.update_attributes(params[:user]) |
| 21 | flash[:notice] = "Profile was successfully updated" | 21 | flash[:notice] = "Profile was successfully updated" |
| 22 | else | 22 | else |
| 23 | flash[:alert] = "Failed to update profile" | 23 | flash[:alert] = "Failed to update profile" |
| @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController | @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController | ||
| 69 | @user = current_user | 69 | @user = current_user |
| 70 | end | 70 | end |
| 71 | 71 | ||
| 72 | - def user_attributes | ||
| 73 | - user_attributes = params[:user] | ||
| 74 | - | ||
| 75 | - # Sanitize user input because we dont have strict | ||
| 76 | - # validation for this fields | ||
| 77 | - %w(name skype linkedin twitter bio).each do |attr| | ||
| 78 | - value = user_attributes[attr] | ||
| 79 | - user_attributes[attr] = sanitize(strip_tags(value)) if value.present? | ||
| 80 | - end | ||
| 81 | - | ||
| 82 | - user_attributes | ||
| 83 | - end | ||
| 84 | - | ||
| 85 | def authorize_change_password! | 72 | def authorize_change_password! |
| 86 | return render_404 if @user.ldap_user? | 73 | return render_404 if @user.ldap_user? |
| 87 | end | 74 | end |
app/models/user.rb
| @@ -114,7 +114,10 @@ class User < ActiveRecord::Base | @@ -114,7 +114,10 @@ class User < ActiveRecord::Base | ||
| 114 | validate :namespace_uniq, if: ->(user) { user.username_changed? } | 114 | validate :namespace_uniq, if: ->(user) { user.username_changed? } |
| 115 | 115 | ||
| 116 | before_validation :generate_password, on: :create | 116 | before_validation :generate_password, on: :create |
| 117 | + before_validation :sanitize_attrs | ||
| 118 | + | ||
| 117 | before_save :ensure_authentication_token | 119 | before_save :ensure_authentication_token |
| 120 | + | ||
| 118 | alias_attribute :private_token, :authentication_token | 121 | alias_attribute :private_token, :authentication_token |
| 119 | 122 | ||
| 120 | delegate :path, to: :namespace, allow_nil: true, prefix: true | 123 | delegate :path, to: :namespace, allow_nil: true, prefix: true |
| @@ -356,4 +359,11 @@ class User < ActiveRecord::Base | @@ -356,4 +359,11 @@ class User < ActiveRecord::Base | ||
| 356 | def created_by | 359 | def created_by |
| 357 | User.find_by_id(created_by_id) if created_by_id | 360 | User.find_by_id(created_by_id) if created_by_id |
| 358 | end | 361 | end |
| 362 | + | ||
| 363 | + def sanitize_attrs | ||
| 364 | + %w(name username skype linkedin twitter bio).each do |attr| | ||
| 365 | + value = self.send(attr) | ||
| 366 | + self.send("#{attr}=", Sanitize.clean(value)) if value.present? | ||
| 367 | + end | ||
| 368 | + end | ||
| 359 | end | 369 | end |