From 68421866677f3b63228687ce54e55b4db19fad41 Mon Sep 17 00:00:00 2001
From: JoenioCosta <JoenioCosta@3f533792-8f58-4932-b0fe-aaf55b0a4547>
Date: Tue, 22 Apr 2008 21:31:16 +0000
Subject: [PATCH] ActionItem192: filtering html input user from validation info

---
 app/controllers/my_profile/enterprise_validation_controller.rb | 11 +++++++++++
 test/functional/enterprise_validation_test.rb                  | 18 +++++++++++++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/app/controllers/my_profile/enterprise_validation_controller.rb b/app/controllers/my_profile/enterprise_validation_controller.rb
index c34a6d0..70ff146 100644
--- a/app/controllers/my_profile/enterprise_validation_controller.rb
+++ b/app/controllers/my_profile/enterprise_validation_controller.rb
@@ -60,4 +60,15 @@ class EnterpriseValidationController < MyProfileController
     end
   end
 
+  private
+
+  require 'erb'
+  include ERB::Util
+  def sanitize
+    if params[:info]
+      params[:info][:validation_methodology] = html_escape(params[:info][:validation_methodology]) if params[:info][:validation_methodology]
+      params[:info][:restrictions] = html_escape(params[:info][:restrictions]) if params[:info][:restrictions]
+    end
+  end
+
 end
diff --git a/test/functional/enterprise_validation_test.rb b/test/functional/enterprise_validation_test.rb
index d51f8ec..f00f7db 100644
--- a/test/functional/enterprise_validation_test.rb
+++ b/test/functional/enterprise_validation_test.rb
@@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
   should 'save an alteration of the validation info' do
     info = ValidationInfo.new(:validation_methodology => 'none')
     @org.expects(:validation_info).returns(info)
-    post :edit_validation_info, :profile => 'myorg', :validation_info => {:validatin_methodology => 'new methodaology'}
+    post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
     
     assert_response :redirect
     assert_redirected_to :action => 'index'
@@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
     assert_equal info, assigns(:info)
   end
 
+  should 'filter html from methodology of the validation info' do
+    info = ValidationInfo.new(:validation_methodology => 'none')
+    @org.expects(:validation_info).returns(info)
+    post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'}
+
+    assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>'
+  end
+
+  should 'filter html from restriction of the validation info' do
+    info = ValidationInfo.new(:validation_methodology => 'none')
+    @org.expects(:validation_info).returns(info)
+    post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'}
+
+    assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>'
+  end
+
 end
--
libgit2 0.21.2