Download as
Browse Code »

Commit 23b9a86393b7806070dc36c45d2fe79b96b26eaa

Authored by Victor Costa
1 parent cc9cebd9
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Sanitize HTML in event name

Showing 2 changed files with 9 additions and 1 deletions   Show diff stats
app/models/event.rb
  Diff comments   View file @23b9a86
... ... @@ -19,7 +19,7 @@ class Event < Article
19 19 maybe_add_http(self.setting[:link])
20 20 end
21 21  
22   - xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation'
  22 + xss_terminate :only => [ :name, :body, :link, :address ], :with => 'white_list', :on => 'validation'
23 23  
24 24 def initialize(*args)
25 25 super(*args)
... ...
test/unit/event_test.rb
  Diff comments   View file @23b9a86
... ... @@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase
155 155 assert_no_tag_in_string e.body, :tag => 'script'
156 156 end
157 157  
  158 + should 'filter HTML in name' do
  159 + profile = create_user('testuser').person
  160 + e = create(Event, :profile => profile, :name => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today)
  161 +
  162 + assert_tag_in_string e.name, :tag => 'p', :content => 'a paragraph (valid)'
  163 + assert_no_tag_in_string e.name, :tag => 'script'
  164 + end
  165 +
158 166 should 'nil to link' do
159 167 e = Event.new
160 168 assert_nothing_raised TypeError do
... ...