Download as
Browse Code »

Commit 68421866677f3b63228687ce54e55b4db19fad41

Authored by JoenioCosta
1 parent 6d246d56
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem192: filtering html input user from validation info 

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1679 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 2 changed files with 28 additions and 1 deletions   Show diff stats
app/controllers/my_profile/enterprise_validation_controller.rb
  Diff comments   View file @6842186
@@ -60,4 +60,15 @@ class EnterpriseValidationController < MyProfileController @@ -60,4 +60,15 @@ class EnterpriseValidationController < MyProfileController
60 end 60 end
61 end 61 end
62 62
  63 + private
  64 +
  65 + require 'erb'
  66 + include ERB::Util
  67 + def sanitize
  68 + if params[:info]
  69 + params[:info][:validation_methodology] = html_escape(params[:info][:validation_methodology]) if params[:info][:validation_methodology]
  70 + params[:info][:restrictions] = html_escape(params[:info][:restrictions]) if params[:info][:restrictions]
  71 + end
  72 + end
  73 +
63 end 74 end
test/functional/enterprise_validation_test.rb
  Diff comments   View file @6842186
@@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase @@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
104 should 'save an alteration of the validation info' do 104 should 'save an alteration of the validation info' do
105 info = ValidationInfo.new(:validation_methodology => 'none') 105 info = ValidationInfo.new(:validation_methodology => 'none')
106 @org.expects(:validation_info).returns(info) 106 @org.expects(:validation_info).returns(info)
107 - post :edit_validation_info, :profile => 'myorg', :validation_info => {:validatin_methodology => 'new methodaology'} 107 + post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
108 108
109 assert_response :redirect 109 assert_response :redirect
110 assert_redirected_to :action => 'index' 110 assert_redirected_to :action => 'index'
@@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase @@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
120 assert_equal info, assigns(:info) 120 assert_equal info, assigns(:info)
121 end 121 end
122 122
  123 + should 'filter html from methodology of the validation info' do
  124 + info = ValidationInfo.new(:validation_methodology => 'none')
  125 + @org.expects(:validation_info).returns(info)
  126 + post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'}
  127 +
  128 + assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>'
  129 + end
  130 +
  131 + should 'filter html from restriction of the validation info' do
  132 + info = ValidationInfo.new(:validation_methodology => 'none')
  133 + @org.expects(:validation_info).returns(info)
  134 + post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'}
  135 +
  136 + assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>'
  137 + end
  138 +
123 end 139 end