From 30af88087b172d9fb46bc7ffbabe26be0af7cdb0 Mon Sep 17 00:00:00 2001
From: AntonioTerceiro <AntonioTerceiro@3f533792-8f58-4932-b0fe-aaf55b0a4547>
Date: Fri, 13 Jun 2008 20:44:44 +0000
Subject: [PATCH] ActionItem435: not escaping HTML

---
 app/models/event.rb     |  6 ++++--
 test/unit/event_test.rb | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/app/models/event.rb b/app/models/event.rb
index dd0cfb1..bf64a65 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -6,6 +6,8 @@ class Event < Article
   settings_items :link, :type => :string
   settings_items :address, :type => :string
 
+  xss_terminate :only => [ :description ], :with => 'white_list'
+
   validates_presence_of :title, :start_date
 
   validates_each :start_date do |event,field,value|
@@ -77,10 +79,10 @@ class Event < Article
         }
       }
 
-      html.div self.description
+      html.div '_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____'
     }
 
-    result
+    result.sub('_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____', self.description)
   end
 
   def link=(value)
diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb
index 4c2fee5..8932b9d 100644
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -149,6 +149,20 @@ class EventTest < ActiveSupport::TestCase
     assert_equal 'http://www.gnu.org', a.link
   end
 
+  should 'not escape HTML in description' do
+    a = Event.new(:description => '<p>a paragraph of text</p>', :link => 'www.gnu.org')
+
+    assert_match '<p>a paragraph of text</p>', a.to_html
+  end
+
+  should 'filter HTML in description' do
+    profile = create_user('testuser').person
+    e = Event.create!(:profile => profile, :name => 'test', :description => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today)
+
+    assert_tag_in_string e.description, :tag => 'p', :content => 'a paragraph (valid)'
+    assert_no_tag_in_string e.description, :tag => 'script'
+  end
+
   protected
 
   def assert_tag_in_string(text, options)
@@ -157,4 +171,10 @@ class EventTest < ActiveSupport::TestCase
     assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}"
   end
 
+  def assert_no_tag_in_string(text, options)
+    doc = HTML::Document.new(text, false, false)
+    tag = doc.find(options)
+    assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}"
+  end
+
 end
--
libgit2 0.21.2