From 4075f24dc1d96791bc361c336efd459a26ffdcd6 Mon Sep 17 00:00:00 2001
From: Larissa Reis <larissa@colivre.coop.br>
Date: Wed, 7 Oct 2015 14:05:55 -0300
Subject: [PATCH] newsletter: whitelist only text for article in newsletter

---
 plugins/newsletter/lib/newsletter_plugin/newsletter.rb            |  8 ++------
 plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb | 21 ++++++++++++++++++---
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/plugins/newsletter/lib/newsletter_plugin/newsletter.rb b/plugins/newsletter/lib/newsletter_plugin/newsletter.rb
index 6648751..7a7fe05 100644
--- a/plugins/newsletter/lib/newsletter_plugin/newsletter.rb
+++ b/plugins/newsletter/lib/newsletter_plugin/newsletter.rb
@@ -123,11 +123,11 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord
   end
 
   def post_with_image(post)
-    content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info']))
+    content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info']))
   end
 
   def post_without_image(post)
-    content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info']))
+    content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info']))
   end
 
   def body(data = {})
@@ -177,10 +177,6 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord
     last_mailing.nil? ? nil : last_mailing.created_at
   end
 
-  def sanitize(html)
-    html.gsub(/<\/?p>/, '')
-  end
-
   def has_posts_in_the_period?
     ! self.posts.empty?
   end
diff --git a/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb b/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
index e5d9b3b..47bebd5 100644
--- a/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
+++ b/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
@@ -351,15 +351,30 @@ EOS
     post = fast_create(TextArticle, :parent_id => blog.id,
                 :name => 'the last news 1',
                 :profile_id => community.id,
-                :body => "<p>paragraph of news</p>")
+                :body => '<p style="text-align: left;">paragraph of news</p>')
 
     newsletter = NewsletterPlugin::Newsletter.create!(
       :environment => environment,
       :blog_ids => [blog.id],
       :person => fast_create(Person))
 
-    assert_match /<p>paragraph of news<\/p>/, post.body
-    assert_not_match /<p>paragraph of news<\/p>/, newsletter.body
+    assert_match /<p style="text-align: left;">paragraph of news<\/p>/, post.body
+    assert_not_match /<p style="text-align: left;">paragraph of news<\/p>/, newsletter.body
+  end
+
+  should 'only include text for posts in HTML generated content' do
+    environment = fast_create Environment
+    community = fast_create(Community, :environment_id => environment.id)
+    blog = fast_create(Blog, :profile_id => community.id)
+    post = fast_create(TextArticle, :profile_id => community.id, :parent_id => blog.id, :name => 'the last news', :abstract => 'A picture<img src="example.png"> is <em>worth</em> a thousand words. <hr><h1>The main goals of visualization</h1>')
+    newsletter = NewsletterPlugin::Newsletter.create!(
+      :environment => environment,
+      :blog_ids => [blog.id],
+      :person => fast_create(Person))
+
+    assert_match /A picture<img src="example.png"> is <em>worth<\/em> a thousand words. <hr><h1>The main goals of visualization<\/h1>/, post.abstract
+    # Tags for text emphasis are whitelisted
+    assert_match /A picture is <em>worth<\/em> a thousand words. The main goals of visualization/, newsletter.body
   end
 
   should 'filter posts when listing posts for newsletter' do
--
libgit2 0.21.2