Commit 40d16f5fbc3f07eb65608cba3961d05e51019f87
Committed by
Daniela Feitosa
Daniela Feitosa
1 parent
6c59ac4a
Always sanitize HTML in header and footer
Showing
2 changed files
with
19 additions
and
3 deletions
Show diff stats
app/models/profile.rb
| ... | ... | @@ -382,7 +382,7 @@ class Profile < ActiveRecord::Base |
| 382 | 382 | end |
| 383 | 383 | |
| 384 | 384 | xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation' |
| 385 | - xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation' | |
| 385 | + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list' | |
| 386 | 386 | |
| 387 | 387 | include WhiteListFilter |
| 388 | 388 | filter_iframes :custom_header, :custom_footer, :whitelist => lambda { environment && environment.trusted_sites_for_iframe } | ... | ... |
test/unit/profile_test.rb
| ... | ... | @@ -839,6 +839,14 @@ class ProfileTest < ActiveSupport::TestCase |
| 839 | 839 | assert_equal 'environment footer', profile.custom_footer |
| 840 | 840 | end |
| 841 | 841 | |
| 842 | + should 'sanitize custom header and footer' do | |
| 843 | + p = fast_create(Profile) | |
| 844 | + script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>' | |
| 845 | + p.update_header_and_footer(script_kiddie_code, script_kiddie_code) | |
| 846 | + assert_no_tag_in_string p.custom_header, tag: 'script' | |
| 847 | + assert_no_tag_in_string p.custom_footer, tag: 'script' | |
| 848 | + end | |
| 849 | + | |
| 842 | 850 | should 'store theme' do |
| 843 | 851 | p = Profile.new(:theme => 'my-shiny-theme') |
| 844 | 852 | assert_equal 'my-shiny-theme', p.theme |
| ... | ... | @@ -1554,8 +1562,6 @@ class ProfileTest < ActiveSupport::TestCase |
| 1554 | 1562 | profile.address = "<h1><</h2< Malformed >> html >< tag" |
| 1555 | 1563 | profile.contact_phone = "<h1<< Malformed ><>>> html >< tag" |
| 1556 | 1564 | profile.description = "<h1<a> Malformed >> html ></a>< tag" |
| 1557 | - profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag" | |
| 1558 | - profile.custom_footer = "<h1> Malformed <><< html ></a>< tag" | |
| 1559 | 1565 | profile.valid? |
| 1560 | 1566 | |
| 1561 | 1567 | assert_no_match /[<>]/, profile.name |
| ... | ... | @@ -1567,6 +1573,16 @@ class ProfileTest < ActiveSupport::TestCase |
| 1567 | 1573 | assert_no_match /[<>]/, profile.custom_footer |
| 1568 | 1574 | end |
| 1569 | 1575 | |
| 1576 | + should 'escape malformed html tags in header and footer' do | |
| 1577 | + profile = fast_create(Profile) | |
| 1578 | + profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag" | |
| 1579 | + profile.custom_footer = "<h1> Malformed <><< html ></a>< tag" | |
| 1580 | + profile.save | |
| 1581 | + | |
| 1582 | + assert_no_match /[<>]/, profile.custom_header | |
| 1583 | + assert_no_match /[<>]/, profile.custom_footer | |
| 1584 | + end | |
| 1585 | + | |
| 1570 | 1586 | should 'not sanitize html comments' do |
| 1571 | 1587 | profile = Profile.new |
| 1572 | 1588 | profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' | ... | ... |