Download as
Browse Code »

Commit 40d16f5fbc3f07eb65608cba3961d05e51019f87

Authored by Antonio Terceiro
Committed by Daniela Feitosa
1 parent 6c59ac4a

Always sanitize HTML in header and footer

Showing 2 changed files with 19 additions and 3 deletions   Show diff stats
app/models/profile.rb
  Diff comments   View file @40d16f5
@@ -382,7 +382,7 @@ class Profile < ActiveRecord::Base @@ -382,7 +382,7 @@ class Profile < ActiveRecord::Base
382 end 382 end
383 383
384 xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation' 384 xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
385 - xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation' 385 + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
386 386
387 include WhiteListFilter 387 include WhiteListFilter
388 filter_iframes :custom_header, :custom_footer, :whitelist => lambda { environment && environment.trusted_sites_for_iframe } 388 filter_iframes :custom_header, :custom_footer, :whitelist => lambda { environment && environment.trusted_sites_for_iframe }
test/unit/profile_test.rb
  Diff comments   View file @40d16f5
@@ -839,6 +839,14 @@ class ProfileTest < ActiveSupport::TestCase @@ -839,6 +839,14 @@ class ProfileTest < ActiveSupport::TestCase
839 assert_equal 'environment footer', profile.custom_footer 839 assert_equal 'environment footer', profile.custom_footer
840 end 840 end
841 841
  842 + should 'sanitize custom header and footer' do
  843 + p = fast_create(Profile)
  844 + script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
  845 + p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
  846 + assert_no_tag_in_string p.custom_header, tag: 'script'
  847 + assert_no_tag_in_string p.custom_footer, tag: 'script'
  848 + end
  849 +
842 should 'store theme' do 850 should 'store theme' do
843 p = Profile.new(:theme => 'my-shiny-theme') 851 p = Profile.new(:theme => 'my-shiny-theme')
844 assert_equal 'my-shiny-theme', p.theme 852 assert_equal 'my-shiny-theme', p.theme
@@ -1554,8 +1562,6 @@ class ProfileTest &lt; ActiveSupport::TestCase @@ -1554,8 +1562,6 @@ class ProfileTest &lt; ActiveSupport::TestCase
1554 profile.address = "<h1><</h2< Malformed >> html >< tag" 1562 profile.address = "<h1><</h2< Malformed >> html >< tag"
1555 profile.contact_phone = "<h1<< Malformed ><>>> html >< tag" 1563 profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
1556 profile.description = "<h1<a> Malformed >> html ></a>< tag" 1564 profile.description = "<h1<a> Malformed >> html ></a>< tag"
1557 - profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"  
1558 - profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"  
1559 profile.valid? 1565 profile.valid?
1560 1566
1561 assert_no_match /[<>]/, profile.name 1567 assert_no_match /[<>]/, profile.name
@@ -1567,6 +1573,16 @@ class ProfileTest &lt; ActiveSupport::TestCase @@ -1567,6 +1573,16 @@ class ProfileTest &lt; ActiveSupport::TestCase
1567 assert_no_match /[<>]/, profile.custom_footer 1573 assert_no_match /[<>]/, profile.custom_footer
1568 end 1574 end
1569 1575
  1576 + should 'escape malformed html tags in header and footer' do
  1577 + profile = fast_create(Profile)
  1578 + profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
  1579 + profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
  1580 + profile.save
  1581 +
  1582 + assert_no_match /[<>]/, profile.custom_header
  1583 + assert_no_match /[<>]/, profile.custom_footer
  1584 + end
  1585 +
1570 should 'not sanitize html comments' do 1586 should 'not sanitize html comments' do
1571 profile = Profile.new 1587 profile = Profile.new
1572 profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>' 1588 profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'