diff --git a/app/models/event.rb b/app/models/event.rb
index dd0cfb1..bf64a65 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -6,6 +6,8 @@ class Event < Article
settings_items :link, :type => :string
settings_items :address, :type => :string
+ xss_terminate :only => [ :description ], :with => 'white_list'
+
validates_presence_of :title, :start_date
validates_each :start_date do |event,field,value|
@@ -77,10 +79,10 @@ class Event < Article
}
}
- html.div self.description
+ html.div '_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____'
}
- result
+ result.sub('_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____', self.description)
end
def link=(value)
diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb
index 4c2fee5..8932b9d 100644
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -149,6 +149,20 @@ class EventTest < ActiveSupport::TestCase
assert_equal 'http://www.gnu.org', a.link
end
+ should 'not escape HTML in description' do
+ a = Event.new(:description => 'a paragraph of text
', :link => 'www.gnu.org')
+
+ assert_match 'a paragraph of text
', a.to_html
+ end
+
+ should 'filter HTML in description' do
+ profile = create_user('testuser').person
+ e = Event.create!(:profile => profile, :name => 'test', :description => 'a paragraph (valid)
"', :link => 'www.colivre.coop.br', :start_date => Date.today)
+
+ assert_tag_in_string e.description, :tag => 'p', :content => 'a paragraph (valid)'
+ assert_no_tag_in_string e.description, :tag => 'script'
+ end
+
protected
def assert_tag_in_string(text, options)
@@ -157,4 +171,10 @@ class EventTest < ActiveSupport::TestCase
assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}"
end
+ def assert_no_tag_in_string(text, options)
+ doc = HTML::Document.new(text, false, false)
+ tag = doc.find(options)
+ assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}"
+ end
+
end
--
libgit2 0.21.2