diff --git a/app/models/event.rb b/app/models/event.rb index dd0cfb1..bf64a65 100644 --- a/app/models/event.rb +++ b/app/models/event.rb @@ -6,6 +6,8 @@ class Event < Article settings_items :link, :type => :string settings_items :address, :type => :string + xss_terminate :only => [ :description ], :with => 'white_list' + validates_presence_of :title, :start_date validates_each :start_date do |event,field,value| @@ -77,10 +79,10 @@ class Event < Article } } - html.div self.description + html.div '_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____' } - result + result.sub('_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____', self.description) end def link=(value) diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb index 4c2fee5..8932b9d 100644 --- a/test/unit/event_test.rb +++ b/test/unit/event_test.rb @@ -149,6 +149,20 @@ class EventTest < ActiveSupport::TestCase assert_equal 'http://www.gnu.org', a.link end + should 'not escape HTML in description' do + a = Event.new(:description => '
a paragraph of text
', :link => 'www.gnu.org') + + assert_match 'a paragraph of text
', a.to_html + end + + should 'filter HTML in description' do + profile = create_user('testuser').person + e = Event.create!(:profile => profile, :name => 'test', :description => 'a paragraph (valid)
"', :link => 'www.colivre.coop.br', :start_date => Date.today) + + assert_tag_in_string e.description, :tag => 'p', :content => 'a paragraph (valid)' + assert_no_tag_in_string e.description, :tag => 'script' + end + protected def assert_tag_in_string(text, options) @@ -157,4 +171,10 @@ class EventTest < ActiveSupport::TestCase assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}" end + def assert_no_tag_in_string(text, options) + doc = HTML::Document.new(text, false, false) + tag = doc.find(options) + assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}" + end + end -- libgit2 0.21.2