Commit 23b9a86393b7806070dc36c45d2fe79b96b26eaa
1 parent
cc9cebd9
Exists in
master
and in
29 other branches
Sanitize HTML in event name
Showing
2 changed files
with
9 additions
and
1 deletions
Show diff stats
app/models/event.rb
... | ... | @@ -19,7 +19,7 @@ class Event < Article |
19 | 19 | maybe_add_http(self.setting[:link]) |
20 | 20 | end |
21 | 21 | |
22 | - xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' | |
22 | + xss_terminate :only => [ :name, :body, :link, :address ], :with => 'white_list', :on => 'validation' | |
23 | 23 | |
24 | 24 | def initialize(*args) |
25 | 25 | super(*args) | ... | ... |
test/unit/event_test.rb
... | ... | @@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase |
155 | 155 | assert_no_tag_in_string e.body, :tag => 'script' |
156 | 156 | end |
157 | 157 | |
158 | + should 'filter HTML in name' do | |
159 | + profile = create_user('testuser').person | |
160 | + e = create(Event, :profile => profile, :name => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today) | |
161 | + | |
162 | + assert_tag_in_string e.name, :tag => 'p', :content => 'a paragraph (valid)' | |
163 | + assert_no_tag_in_string e.name, :tag => 'script' | |
164 | + end | |
165 | + | |
158 | 166 | should 'nil to link' do |
159 | 167 | e = Event.new |
160 | 168 | assert_nothing_raised TypeError do | ... | ... |