From 30af88087b172d9fb46bc7ffbabe26be0af7cdb0 Mon Sep 17 00:00:00 2001 From: AntonioTerceiro Date: Fri, 13 Jun 2008 20:44:44 +0000 Subject: [PATCH] ActionItem435: not escaping HTML --- app/models/event.rb | 6 ++++-- test/unit/event_test.rb | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/app/models/event.rb b/app/models/event.rb index dd0cfb1..bf64a65 100644 --- a/app/models/event.rb +++ b/app/models/event.rb @@ -6,6 +6,8 @@ class Event < Article settings_items :link, :type => :string settings_items :address, :type => :string + xss_terminate :only => [ :description ], :with => 'white_list' + validates_presence_of :title, :start_date validates_each :start_date do |event,field,value| @@ -77,10 +79,10 @@ class Event < Article } } - html.div self.description + html.div '_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____' } - result + result.sub('_____XXXX_DESCRIPTION_GOES_HERE_XXXX_____', self.description) end def link=(value) diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb index 4c2fee5..8932b9d 100644 --- a/test/unit/event_test.rb +++ b/test/unit/event_test.rb @@ -149,6 +149,20 @@ class EventTest < ActiveSupport::TestCase assert_equal 'http://www.gnu.org', a.link end + should 'not escape HTML in description' do + a = Event.new(:description => '

a paragraph of text

', :link => 'www.gnu.org') + + assert_match '

a paragraph of text

', a.to_html + end + + should 'filter HTML in description' do + profile = create_user('testuser').person + e = Event.create!(:profile => profile, :name => 'test', :description => '

a paragraph (valid)

"', :link => 'www.colivre.coop.br', :start_date => Date.today) + + assert_tag_in_string e.description, :tag => 'p', :content => 'a paragraph (valid)' + assert_no_tag_in_string e.description, :tag => 'script' + end + protected def assert_tag_in_string(text, options) @@ -157,4 +171,10 @@ class EventTest < ActiveSupport::TestCase assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}" end + def assert_no_tag_in_string(text, options) + doc = HTML::Document.new(text, false, false) + tag = doc.find(options) + assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}" + end + end -- libgit2 0.21.2