Commit 4075f24dc1d96791bc361c336efd459a26ffdcd6
1 parent
92476194
Exists in
master
and in
20 other branches
newsletter: whitelist only text for article in newsletter
The only image for an article in the newsletter has to be the article's image. The lead for the article also can't have any paragraph or other crazy stuff. Instead of manually using gsub to remove undesired tags, I'm using ActionView::Helpers::SanitizeHelper#sanitize and whitelisting only tags for emphasis in text.
Showing
2 changed files
with
20 additions
and
9 deletions
Show diff stats
plugins/newsletter/lib/newsletter_plugin/newsletter.rb
| ... | ... | @@ -123,11 +123,11 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
| 123 | 123 | end |
| 124 | 124 | |
| 125 | 125 | def post_with_image(post) |
| 126 | - content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info'])) | |
| 126 | + content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info'])) | |
| 127 | 127 | end |
| 128 | 128 | |
| 129 | 129 | def post_without_image(post) |
| 130 | - content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info'])) | |
| 130 | + content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info'])) | |
| 131 | 131 | end |
| 132 | 132 | |
| 133 | 133 | def body(data = {}) |
| ... | ... | @@ -177,10 +177,6 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
| 177 | 177 | last_mailing.nil? ? nil : last_mailing.created_at |
| 178 | 178 | end |
| 179 | 179 | |
| 180 | - def sanitize(html) | |
| 181 | - html.gsub(/<\/?p>/, '') | |
| 182 | - end | |
| 183 | - | |
| 184 | 180 | def has_posts_in_the_period? |
| 185 | 181 | ! self.posts.empty? |
| 186 | 182 | end | ... | ... |
plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
| ... | ... | @@ -351,15 +351,30 @@ EOS |
| 351 | 351 | post = fast_create(TextArticle, :parent_id => blog.id, |
| 352 | 352 | :name => 'the last news 1', |
| 353 | 353 | :profile_id => community.id, |
| 354 | - :body => "<p>paragraph of news</p>") | |
| 354 | + :body => '<p style="text-align: left;">paragraph of news</p>') | |
| 355 | 355 | |
| 356 | 356 | newsletter = NewsletterPlugin::Newsletter.create!( |
| 357 | 357 | :environment => environment, |
| 358 | 358 | :blog_ids => [blog.id], |
| 359 | 359 | :person => fast_create(Person)) |
| 360 | 360 | |
| 361 | - assert_match /<p>paragraph of news<\/p>/, post.body | |
| 362 | - assert_not_match /<p>paragraph of news<\/p>/, newsletter.body | |
| 361 | + assert_match /<p style="text-align: left;">paragraph of news<\/p>/, post.body | |
| 362 | + assert_not_match /<p style="text-align: left;">paragraph of news<\/p>/, newsletter.body | |
| 363 | + end | |
| 364 | + | |
| 365 | + should 'only include text for posts in HTML generated content' do | |
| 366 | + environment = fast_create Environment | |
| 367 | + community = fast_create(Community, :environment_id => environment.id) | |
| 368 | + blog = fast_create(Blog, :profile_id => community.id) | |
| 369 | + post = fast_create(TextArticle, :profile_id => community.id, :parent_id => blog.id, :name => 'the last news', :abstract => 'A picture<img src="example.png"> is <em>worth</em> a thousand words. <hr><h1>The main goals of visualization</h1>') | |
| 370 | + newsletter = NewsletterPlugin::Newsletter.create!( | |
| 371 | + :environment => environment, | |
| 372 | + :blog_ids => [blog.id], | |
| 373 | + :person => fast_create(Person)) | |
| 374 | + | |
| 375 | + assert_match /A picture<img src="example.png"> is <em>worth<\/em> a thousand words. <hr><h1>The main goals of visualization<\/h1>/, post.abstract | |
| 376 | + # Tags for text emphasis are whitelisted | |
| 377 | + assert_match /A picture is <em>worth<\/em> a thousand words. The main goals of visualization/, newsletter.body | |
| 363 | 378 | end |
| 364 | 379 | |
| 365 | 380 | should 'filter posts when listing posts for newsletter' do | ... | ... |
-
mentioned in commit ea7f92201154aa30d2677a38752593711b4eb363
