Commit 1821a739dbe153faf74cc802ba17b8f8f067cd5c
1 parent
ac95e9a2
Exists in
master
and in
29 other branches
ActionItem192: filtering html from enterprise registration fields and add assert…
…_sanitized to test_helper git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1695 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
9 changed files
with
97 additions
and
13 deletions
Show diff stats
app/controllers/my_profile/memberships_controller.rb
@@ -24,4 +24,15 @@ class MembershipsController < MyProfileController | @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController | ||
24 | end | 24 | end |
25 | end | 25 | end |
26 | 26 | ||
27 | + private | ||
28 | + | ||
29 | + require 'erb' | ||
30 | + include ERB::Util | ||
31 | + def sanitize | ||
32 | + if params[:community] | ||
33 | + params[:community][:name] = html_escape(params[:community][:name]) if params[:community][:name] | ||
34 | + params[:community][:description] = html_escape(params[:community][:description]) if params[:community][:description] | ||
35 | + end | ||
36 | + end | ||
37 | + | ||
27 | end | 38 | end |
app/controllers/public/enterprise_registration_controller.rb
@@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController | @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController | ||
51 | @create_enterprise.save! | 51 | @create_enterprise.save! |
52 | end | 52 | end |
53 | 53 | ||
54 | + private | ||
55 | + | ||
56 | + require 'erb' | ||
57 | + include ERB::Util | ||
58 | + def sanitize | ||
59 | + if params[:create_enterprise] | ||
60 | + %w[name address contact_phone contact_person acronym foundation_year legal_form economic_activity management_information].each{ |i| | ||
61 | + params[:create_enterprise][i] = html_escape(params[:create_enterprise][i]) if params[:create_enterprise][i] | ||
62 | + } | ||
63 | + end | ||
64 | + end | ||
65 | + | ||
54 | end | 66 | end |
test/functional/consumed_products_controller_test.rb
@@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase | @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase | ||
44 | product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) | 44 | product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) |
45 | post :new, :profile => profile.identifier, | 45 | post :new, :profile => profile.identifier, |
46 | :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } | 46 | :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra <b>info</b>' } |
47 | - assert_not_equal assigns(:consumption).aditional_specifications, 'extra <b>info</b>' | 47 | + assert_sanitized assigns(:consumption).aditional_specifications |
48 | end | 48 | end |
49 | 49 | ||
50 | should 'destroy product' do | 50 | should 'destroy product' do |
test/functional/enterprise_registration_controller_test.rb
@@ -86,4 +86,49 @@ all_fixtures | @@ -86,4 +86,49 @@ all_fixtures | ||
86 | assert_template 'confirmation' | 86 | assert_template 'confirmation' |
87 | end | 87 | end |
88 | 88 | ||
89 | + should 'filter html from name' do | ||
90 | + post :index, :create_enterprise => { 'name' => '<b>name</b>', 'identifier' => 'mynew' } | ||
91 | + assert_sanitized assigns(:create_enterprise).name | ||
92 | + end | ||
93 | + | ||
94 | + should 'filter html from address' do | ||
95 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :address => '<b>address</b>' } | ||
96 | + assert_sanitized assigns(:create_enterprise).address | ||
97 | + end | ||
98 | + | ||
99 | + should 'filter html from contact_phone' do | ||
100 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_phone => '<b>contact_phone</b>' } | ||
101 | + assert_sanitized assigns(:create_enterprise).contact_phone | ||
102 | + end | ||
103 | + | ||
104 | + should 'filter html from contact_person' do | ||
105 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_person => '<b>contact_person</b>' } | ||
106 | + assert_sanitized assigns(:create_enterprise).contact_person | ||
107 | + end | ||
108 | + | ||
109 | + should 'filter html from acronym' do | ||
110 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :acronym => '<b>acronym</b>' } | ||
111 | + assert_sanitized assigns(:create_enterprise).acronym | ||
112 | + end | ||
113 | + | ||
114 | + should 'filter html from foundation_year' do | ||
115 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => '<b>foundation_year</b>' } | ||
116 | + assert_sanitized assigns(:create_enterprise).foundation_year | ||
117 | + end | ||
118 | + | ||
119 | + should 'filter html from legal_form' do | ||
120 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => '<b>legal_form</b>' } | ||
121 | + assert_sanitized assigns(:create_enterprise).legal_form | ||
122 | + end | ||
123 | + | ||
124 | + should 'filter html from economic_activity' do | ||
125 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :economic_activity => '<b>economic_activity</b>' } | ||
126 | + assert_sanitized assigns(:create_enterprise).economic_activity | ||
127 | + end | ||
128 | + | ||
129 | + should 'filter html from management_information' do | ||
130 | + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :management_information => '<b>management_information</b>' } | ||
131 | + assert_sanitized assigns(:create_enterprise).management_information | ||
132 | + end | ||
133 | + | ||
89 | end | 134 | end |
test/functional/enterprise_validation_test.rb
@@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase | @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase | ||
124 | info = ValidationInfo.new(:validation_methodology => 'none') | 124 | info = ValidationInfo.new(:validation_methodology => 'none') |
125 | @org.expects(:validation_info).returns(info) | 125 | @org.expects(:validation_info).returns(info) |
126 | post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} | 126 | post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'} |
127 | - | ||
128 | - assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>' | 127 | + assert_sanitized assigns(:info).validation_methodology |
129 | end | 128 | end |
130 | 129 | ||
131 | should 'filter html from restriction of the validation info' do | 130 | should 'filter html from restriction of the validation info' do |
132 | info = ValidationInfo.new(:validation_methodology => 'none') | 131 | info = ValidationInfo.new(:validation_methodology => 'none') |
133 | @org.expects(:validation_info).returns(info) | 132 | @org.expects(:validation_info).returns(info) |
134 | post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} | 133 | post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'} |
135 | - | ||
136 | - assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>' | 134 | + assert_sanitized assigns(:info).restrictions |
137 | end | 135 | end |
138 | 136 | ||
139 | end | 137 | end |
test/functional/manage_products_controller_test.rb
@@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase | @@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase | ||
172 | should 'filter html from name of product' do | 172 | should 'filter html from name of product' do |
173 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) | 173 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
174 | post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } | 174 | post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id } |
175 | - assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>" | 175 | + assert_sanitized assigns(:product).name |
176 | end | 176 | end |
177 | 177 | ||
178 | should 'filter html from description of product' do | 178 | should 'filter html from description of product' do |
179 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) | 179 | category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) |
180 | post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } | 180 | post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id } |
181 | - assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>" | 181 | + assert_sanitized assigns(:product).description |
182 | end | 182 | end |
183 | 183 | ||
184 | end | 184 | end |
test/functional/memberships_controller_test.rb
@@ -5,6 +5,7 @@ require 'memberships_controller' | @@ -5,6 +5,7 @@ require 'memberships_controller' | ||
5 | class MembershipsController; def rescue_action(e) raise e end; end | 5 | class MembershipsController; def rescue_action(e) raise e end; end |
6 | 6 | ||
7 | class MembershipsControllerTest < Test::Unit::TestCase | 7 | class MembershipsControllerTest < Test::Unit::TestCase |
8 | + | ||
8 | def setup | 9 | def setup |
9 | @controller = MembershipsController.new | 10 | @controller = MembershipsController.new |
10 | @request = ActionController::TestRequest.new | 11 | @request = ActionController::TestRequest.new |
@@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase | @@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase | ||
61 | assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } | 62 | assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } |
62 | end | 63 | end |
63 | 64 | ||
65 | + should 'filter html from name' do | ||
66 | + login_as(profile.identifier) | ||
67 | + post :new_community, :profile => profile.identifier, :community => { :name => '<b>new</b> community' } | ||
68 | + assert_sanitized assigns(:community).name | ||
69 | + end | ||
70 | + | ||
71 | + should 'filter html from description' do | ||
72 | + login_as(profile.identifier) | ||
73 | + post :new_community, :profile => profile.identifier, :community => { :name => 'new community', :description => '<b>new</b> community' } | ||
74 | + assert_sanitized assigns(:community).description | ||
75 | + end | ||
76 | + | ||
64 | end | 77 | end |
test/functional/profile_editor_controller_test.rb
@@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase | @@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase | ||
96 | person = create_user('test_profile').person | 96 | person = create_user('test_profile').person |
97 | name = "name <strong id='name_html_test'>with</strong> html" | 97 | name = "name <strong id='name_html_test'>with</strong> html" |
98 | post :edit, :profile => person.identifier, :info => { :name => name } | 98 | post :edit, :profile => person.identifier, :info => { :name => name } |
99 | - assert_not_equal name, assigns(:profile).info.name | 99 | + assert_sanitized assigns(:profile).info.name |
100 | end | 100 | end |
101 | 101 | ||
102 | should 'filter html from contact_person to organization' do | 102 | should 'filter html from contact_person to organization' do |
103 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 103 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
104 | contact = "name <strong id='name_html_test'>with</strong> html" | 104 | contact = "name <strong id='name_html_test'>with</strong> html" |
105 | post :edit, :profile => org.identifier, :info => { :contact_person => contact } | 105 | post :edit, :profile => org.identifier, :info => { :contact_person => contact } |
106 | - assert_not_equal contact, assigns(:profile).info.contact_person | 106 | + assert_sanitized assigns(:profile).info.contact_person |
107 | end | 107 | end |
108 | 108 | ||
109 | should 'filter html from acronym organization' do | 109 | should 'filter html from acronym organization' do |
110 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 110 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
111 | value = "name <strong id='name_html_test'>with</strong> html" | 111 | value = "name <strong id='name_html_test'>with</strong> html" |
112 | post :edit, :profile => org.identifier, :info => { :acronym => value } | 112 | post :edit, :profile => org.identifier, :info => { :acronym => value } |
113 | - assert_not_equal value, assigns(:profile).info.acronym | 113 | + assert_sanitized assigns(:profile).info.acronym |
114 | end | 114 | end |
115 | 115 | ||
116 | should 'filter html from legal_form organization' do | 116 | should 'filter html from legal_form organization' do |
117 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 117 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
118 | value = "name <strong id='name_html_test'>with</strong> html" | 118 | value = "name <strong id='name_html_test'>with</strong> html" |
119 | post :edit, :profile => org.identifier, :info => { :legal_form => value } | 119 | post :edit, :profile => org.identifier, :info => { :legal_form => value } |
120 | - assert_not_equal value, assigns(:profile).info.legal_form | 120 | + assert_sanitized assigns(:profile).info.legal_form |
121 | end | 121 | end |
122 | 122 | ||
123 | should 'filter html from economic_activity organization' do | 123 | should 'filter html from economic_activity organization' do |
124 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 124 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
125 | value = "name <strong id='name_html_test'>with</strong> html" | 125 | value = "name <strong id='name_html_test'>with</strong> html" |
126 | post :edit, :profile => org.identifier, :info => { :economic_activity => value } | 126 | post :edit, :profile => org.identifier, :info => { :economic_activity => value } |
127 | - assert_not_equal value, assigns(:profile).info.economic_activity | 127 | + assert_sanitized assigns(:profile).info.economic_activity |
128 | end | 128 | end |
129 | 129 | ||
130 | should 'filter html from management_information organization' do | 130 | should 'filter html from management_information organization' do |
131 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') | 131 | org = Organization.create!(:name => 'test org', :identifier => 'testorg') |
132 | value = "name <strong id='name_html_test'>with</strong> html" | 132 | value = "name <strong id='name_html_test'>with</strong> html" |
133 | post :edit, :profile => org.identifier, :info => { :management_information => value } | 133 | post :edit, :profile => org.identifier, :info => { :management_information => value } |
134 | - assert_not_equal value, assigns(:profile).info.management_information | 134 | + assert_sanitized assigns(:profile).info.management_information |
135 | end | 135 | end |
136 | 136 | ||
137 | end | 137 | end |
test/test_helper.rb
@@ -135,6 +135,11 @@ class Test::Unit::TestCase | @@ -135,6 +135,11 @@ class Test::Unit::TestCase | ||
135 | assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" | 135 | assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" |
136 | end | 136 | end |
137 | 137 | ||
138 | + # this check only if string has html tag | ||
139 | + def assert_sanitized(string) | ||
140 | + assert_no_match /<[^>]+\/?>/, string, "String #{string} expected to be sanitized" | ||
141 | + end | ||
142 | + | ||
138 | private | 143 | private |
139 | 144 | ||
140 | def uses_host(name) | 145 | def uses_host(name) |