Commit 8dd6af1466079778fb6a91be9a3d32d7d90275a6
1 parent
7ebbb6e3
Exists in
master
and in
4 other branches
Sanitize user attrs on model level
Showing
4 changed files
with
15 additions
and
14 deletions
Show diff stats
Gemfile
| @@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" | @@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" | ||
| 118 | # underscore-rails | 118 | # underscore-rails |
| 119 | gem "underscore-rails", "~> 1.4.4" | 119 | gem "underscore-rails", "~> 1.4.4" |
| 120 | 120 | ||
| 121 | +# Sanitize user input | ||
| 122 | +gem "sanitize" | ||
| 123 | + | ||
| 121 | group :assets do | 124 | group :assets do |
| 122 | gem "sass-rails" | 125 | gem "sass-rails" |
| 123 | gem "coffee-rails" | 126 | gem "coffee-rails" |
Gemfile.lock
app/controllers/profiles_controller.rb
| @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController | @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController | ||
| 17 | end | 17 | end |
| 18 | 18 | ||
| 19 | def update | 19 | def update |
| 20 | - if @user.update_attributes(user_attributes) | 20 | + if @user.update_attributes(params[:user]) |
| 21 | flash[:notice] = "Profile was successfully updated" | 21 | flash[:notice] = "Profile was successfully updated" |
| 22 | else | 22 | else |
| 23 | flash[:alert] = "Failed to update profile" | 23 | flash[:alert] = "Failed to update profile" |
| @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController | @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController | ||
| 69 | @user = current_user | 69 | @user = current_user |
| 70 | end | 70 | end |
| 71 | 71 | ||
| 72 | - def user_attributes | ||
| 73 | - user_attributes = params[:user] | ||
| 74 | - | ||
| 75 | - # Sanitize user input because we dont have strict | ||
| 76 | - # validation for this fields | ||
| 77 | - %w(name skype linkedin twitter bio).each do |attr| | ||
| 78 | - value = user_attributes[attr] | ||
| 79 | - user_attributes[attr] = sanitize(strip_tags(value)) if value.present? | ||
| 80 | - end | ||
| 81 | - | ||
| 82 | - user_attributes | ||
| 83 | - end | ||
| 84 | - | ||
| 85 | def authorize_change_password! | 72 | def authorize_change_password! |
| 86 | return render_404 if @user.ldap_user? | 73 | return render_404 if @user.ldap_user? |
| 87 | end | 74 | end |
app/models/user.rb
| @@ -116,7 +116,10 @@ class User < ActiveRecord::Base | @@ -116,7 +116,10 @@ class User < ActiveRecord::Base | ||
| 116 | validate :namespace_uniq, if: ->(user) { user.username_changed? } | 116 | validate :namespace_uniq, if: ->(user) { user.username_changed? } |
| 117 | 117 | ||
| 118 | before_validation :generate_password, on: :create | 118 | before_validation :generate_password, on: :create |
| 119 | + before_validation :sanitize_attrs | ||
| 120 | + | ||
| 119 | before_save :ensure_authentication_token | 121 | before_save :ensure_authentication_token |
| 122 | + | ||
| 120 | alias_attribute :private_token, :authentication_token | 123 | alias_attribute :private_token, :authentication_token |
| 121 | 124 | ||
| 122 | delegate :path, to: :namespace, allow_nil: true, prefix: true | 125 | delegate :path, to: :namespace, allow_nil: true, prefix: true |
| @@ -371,4 +374,11 @@ class User < ActiveRecord::Base | @@ -371,4 +374,11 @@ class User < ActiveRecord::Base | ||
| 371 | def created_by | 374 | def created_by |
| 372 | User.find_by_id(created_by_id) if created_by_id | 375 | User.find_by_id(created_by_id) if created_by_id |
| 373 | end | 376 | end |
| 377 | + | ||
| 378 | + def sanitize_attrs | ||
| 379 | + %w(name username skype linkedin twitter bio).each do |attr| | ||
| 380 | + value = self.send(attr) | ||
| 381 | + self.send("#{attr}=", Sanitize.clean(value)) if value.present? | ||
| 382 | + end | ||
| 383 | + end | ||
| 374 | end | 384 | end |