Download as
Browse Code »

Commit 1821a739dbe153faf74cc802ba17b8f8f067cd5c

Authored by JoenioCosta
1 parent ac95e9a2
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem192: filtering html from enterprise registration fields and add assert… 

…_sanitized to test_helper

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1695 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 9 changed files with 97 additions and 13 deletions   Show diff stats
app/controllers/my_profile/memberships_controller.rb
  Diff comments   View file @1821a73
@@ -24,4 +24,15 @@ class MembershipsController < MyProfileController @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController
24 end 24 end
25 end 25 end
26 26
  27 + private
  28 +
  29 + require 'erb'
  30 + include ERB::Util
  31 + def sanitize
  32 + if params[:community]
  33 + params[:community][:name] = html_escape(params[:community][:name]) if params[:community][:name]
  34 + params[:community][:description] = html_escape(params[:community][:description]) if params[:community][:description]
  35 + end
  36 + end
  37 +
27 end 38 end
app/controllers/public/enterprise_registration_controller.rb
  Diff comments   View file @1821a73
@@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController
51 @create_enterprise.save! 51 @create_enterprise.save!
52 end 52 end
53 53
  54 + private
  55 +
  56 + require 'erb'
  57 + include ERB::Util
  58 + def sanitize
  59 + if params[:create_enterprise]
  60 + %w[name address contact_phone contact_person acronym foundation_year legal_form economic_activity management_information].each{ |i|
  61 + params[:create_enterprise][i] = html_escape(params[:create_enterprise][i]) if params[:create_enterprise][i]
  62 + }
  63 + end
  64 + end
  65 +
54 end 66 end
test/functional/consumed_products_controller_test.rb
  Diff comments   View file @1821a73
@@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase
44 product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) 44 product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default)
45 post :new, :profile => profile.identifier, 45 post :new, :profile => profile.identifier,
46 :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } 46 :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' }
47 - assert_not_equal assigns(:consumption).aditional_specifications, 'extra <b>info</b>' 47 + assert_sanitized assigns(:consumption).aditional_specifications
48 end 48 end
49 49
50 should 'destroy product' do 50 should 'destroy product' do
test/functional/enterprise_registration_controller_test.rb
  Diff comments   View file @1821a73
@@ -86,4 +86,49 @@ all_fixtures @@ -86,4 +86,49 @@ all_fixtures
86 assert_template 'confirmation' 86 assert_template 'confirmation'
87 end 87 end
88 88
  89 + should 'filter html from name' do
  90 + post :index, :create_enterprise => { 'name' => '<b>name</b>', 'identifier' => 'mynew' }
  91 + assert_sanitized assigns(:create_enterprise).name
  92 + end
  93 +
  94 + should 'filter html from address' do
  95 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :address => '<b>address</b>' }
  96 + assert_sanitized assigns(:create_enterprise).address
  97 + end
  98 +
  99 + should 'filter html from contact_phone' do
  100 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_phone => '<b>contact_phone</b>' }
  101 + assert_sanitized assigns(:create_enterprise).contact_phone
  102 + end
  103 +
  104 + should 'filter html from contact_person' do
  105 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_person => '<b>contact_person</b>' }
  106 + assert_sanitized assigns(:create_enterprise).contact_person
  107 + end
  108 +
  109 + should 'filter html from acronym' do
  110 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :acronym => '<b>acronym</b>' }
  111 + assert_sanitized assigns(:create_enterprise).acronym
  112 + end
  113 +
  114 + should 'filter html from foundation_year' do
  115 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => '<b>foundation_year</b>' }
  116 + assert_sanitized assigns(:create_enterprise).foundation_year
  117 + end
  118 +
  119 + should 'filter html from legal_form' do
  120 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => '<b>legal_form</b>' }
  121 + assert_sanitized assigns(:create_enterprise).legal_form
  122 + end
  123 +
  124 + should 'filter html from economic_activity' do
  125 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :economic_activity => '<b>economic_activity</b>' }
  126 + assert_sanitized assigns(:create_enterprise).economic_activity
  127 + end
  128 +
  129 + should 'filter html from management_information' do
  130 + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :management_information => '<b>management_information</b>' }
  131 + assert_sanitized assigns(:create_enterprise).management_information
  132 + end
  133 +
89 end 134 end
test/functional/enterprise_validation_test.rb
  Diff comments   View file @1821a73
@@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest &lt; Test::Unit::TestCase @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest &lt; Test::Unit::TestCase
124 info = ValidationInfo.new(:validation_methodology => 'none') 124 info = ValidationInfo.new(:validation_methodology => 'none')
125 @org.expects(:validation_info).returns(info) 125 @org.expects(:validation_info).returns(info)
126 post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} 126 post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'}
127 -  
128 - assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>' 127 + assert_sanitized assigns(:info).validation_methodology
129 end 128 end
130 129
131 should 'filter html from restriction of the validation info' do 130 should 'filter html from restriction of the validation info' do
132 info = ValidationInfo.new(:validation_methodology => 'none') 131 info = ValidationInfo.new(:validation_methodology => 'none')
133 @org.expects(:validation_info).returns(info) 132 @org.expects(:validation_info).returns(info)
134 post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} 133 post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'}
135 -  
136 - assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>' 134 + assert_sanitized assigns(:info).restrictions
137 end 135 end
138 136
139 end 137 end
test/functional/manage_products_controller_test.rb
  Diff comments   View file @1821a73
@@ -172,13 +172,13 @@ class ManageProductsControllerTest &lt; Test::Unit::TestCase @@ -172,13 +172,13 @@ class ManageProductsControllerTest &lt; Test::Unit::TestCase
172 should 'filter html from name of product' do 172 should 'filter html from name of product' do
173 category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) 173 category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
174 post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } 174 post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id }
175 - assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>" 175 + assert_sanitized assigns(:product).name
176 end 176 end
177 177
178 should 'filter html from description of product' do 178 should 'filter html from description of product' do
179 category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) 179 category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
180 post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } 180 post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id }
181 - assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>" 181 + assert_sanitized assigns(:product).description
182 end 182 end
183 183
184 end 184 end
test/functional/memberships_controller_test.rb
  Diff comments   View file @1821a73
@@ -5,6 +5,7 @@ require &#39;memberships_controller&#39; @@ -5,6 +5,7 @@ require &#39;memberships_controller&#39;
5 class MembershipsController; def rescue_action(e) raise e end; end 5 class MembershipsController; def rescue_action(e) raise e end; end
6 6
7 class MembershipsControllerTest < Test::Unit::TestCase 7 class MembershipsControllerTest < Test::Unit::TestCase
  8 +
8 def setup 9 def setup
9 @controller = MembershipsController.new 10 @controller = MembershipsController.new
10 @request = ActionController::TestRequest.new 11 @request = ActionController::TestRequest.new
@@ -61,4 +62,16 @@ class MembershipsControllerTest &lt; Test::Unit::TestCase @@ -61,4 +62,16 @@ class MembershipsControllerTest &lt; Test::Unit::TestCase
61 assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } 62 assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" }
62 end 63 end
63 64
  65 + should 'filter html from name' do
  66 + login_as(profile.identifier)
  67 + post :new_community, :profile => profile.identifier, :community => { :name => '<b>new</b> community' }
  68 + assert_sanitized assigns(:community).name
  69 + end
  70 +
  71 + should 'filter html from description' do
  72 + login_as(profile.identifier)
  73 + post :new_community, :profile => profile.identifier, :community => { :name => 'new community', :description => '<b>new</b> community' }
  74 + assert_sanitized assigns(:community).description
  75 + end
  76 +
64 end 77 end
test/functional/profile_editor_controller_test.rb
  Diff comments   View file @1821a73
@@ -96,42 +96,42 @@ class ProfileEditorControllerTest &lt; Test::Unit::TestCase @@ -96,42 +96,42 @@ class ProfileEditorControllerTest &lt; Test::Unit::TestCase
96 person = create_user('test_profile').person 96 person = create_user('test_profile').person
97 name = "name <strong id='name_html_test'>with</strong> html" 97 name = "name <strong id='name_html_test'>with</strong> html"
98 post :edit, :profile => person.identifier, :info => { :name => name } 98 post :edit, :profile => person.identifier, :info => { :name => name }
99 - assert_not_equal name, assigns(:profile).info.name 99 + assert_sanitized assigns(:profile).info.name
100 end 100 end
101 101
102 should 'filter html from contact_person to organization' do 102 should 'filter html from contact_person to organization' do
103 org = Organization.create!(:name => 'test org', :identifier => 'testorg') 103 org = Organization.create!(:name => 'test org', :identifier => 'testorg')
104 contact = "name <strong id='name_html_test'>with</strong> html" 104 contact = "name <strong id='name_html_test'>with</strong> html"
105 post :edit, :profile => org.identifier, :info => { :contact_person => contact } 105 post :edit, :profile => org.identifier, :info => { :contact_person => contact }
106 - assert_not_equal contact, assigns(:profile).info.contact_person 106 + assert_sanitized assigns(:profile).info.contact_person
107 end 107 end
108 108
109 should 'filter html from acronym organization' do 109 should 'filter html from acronym organization' do
110 org = Organization.create!(:name => 'test org', :identifier => 'testorg') 110 org = Organization.create!(:name => 'test org', :identifier => 'testorg')
111 value = "name <strong id='name_html_test'>with</strong> html" 111 value = "name <strong id='name_html_test'>with</strong> html"
112 post :edit, :profile => org.identifier, :info => { :acronym => value } 112 post :edit, :profile => org.identifier, :info => { :acronym => value }
113 - assert_not_equal value, assigns(:profile).info.acronym 113 + assert_sanitized assigns(:profile).info.acronym
114 end 114 end
115 115
116 should 'filter html from legal_form organization' do 116 should 'filter html from legal_form organization' do
117 org = Organization.create!(:name => 'test org', :identifier => 'testorg') 117 org = Organization.create!(:name => 'test org', :identifier => 'testorg')
118 value = "name <strong id='name_html_test'>with</strong> html" 118 value = "name <strong id='name_html_test'>with</strong> html"
119 post :edit, :profile => org.identifier, :info => { :legal_form => value } 119 post :edit, :profile => org.identifier, :info => { :legal_form => value }
120 - assert_not_equal value, assigns(:profile).info.legal_form 120 + assert_sanitized assigns(:profile).info.legal_form
121 end 121 end
122 122
123 should 'filter html from economic_activity organization' do 123 should 'filter html from economic_activity organization' do
124 org = Organization.create!(:name => 'test org', :identifier => 'testorg') 124 org = Organization.create!(:name => 'test org', :identifier => 'testorg')
125 value = "name <strong id='name_html_test'>with</strong> html" 125 value = "name <strong id='name_html_test'>with</strong> html"
126 post :edit, :profile => org.identifier, :info => { :economic_activity => value } 126 post :edit, :profile => org.identifier, :info => { :economic_activity => value }
127 - assert_not_equal value, assigns(:profile).info.economic_activity 127 + assert_sanitized assigns(:profile).info.economic_activity
128 end 128 end
129 129
130 should 'filter html from management_information organization' do 130 should 'filter html from management_information organization' do
131 org = Organization.create!(:name => 'test org', :identifier => 'testorg') 131 org = Organization.create!(:name => 'test org', :identifier => 'testorg')
132 value = "name <strong id='name_html_test'>with</strong> html" 132 value = "name <strong id='name_html_test'>with</strong> html"
133 post :edit, :profile => org.identifier, :info => { :management_information => value } 133 post :edit, :profile => org.identifier, :info => { :management_information => value }
134 - assert_not_equal value, assigns(:profile).info.management_information 134 + assert_sanitized assigns(:profile).info.management_information
135 end 135 end
136 136
137 end 137 end
test/test_helper.rb
  Diff comments   View file @1821a73
@@ -135,6 +135,11 @@ class Test::Unit::TestCase @@ -135,6 +135,11 @@ class Test::Unit::TestCase
135 assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" 135 assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}"
136 end 136 end
137 137
  138 + # this check only if string has html tag
  139 + def assert_sanitized(string)
  140 + assert_no_match /<[^>]+\/?>/, string, "String #{string} expected to be sanitized"
  141 + end
  142 +
138 private 143 private
139 144
140 def uses_host(name) 145 def uses_host(name)