ActionItem192: added before_filter to sanitize user input

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1673 3f533792-8f58-4932-b0fe-aaf55b0a4547

ActionItem192: added before_filter to sanitize user input
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1673 3f533792-8f58-4932-b0fe-aaf55b0a4547
JoenioCosta
1 parent 224e08e5
Showing 3 changed files with 28 additions and 0 deletions Show diff stats
app/controllers/application.rb
app/controllers/public/content_viewer_controller.rb
test/functional/content_viewer_controller_test.rb
@@ -40,6 +40,9 @@ class ApplicationController &lt; ActionController::Base
     verify :method => :post, :only => actions, :redirect_to => redirect
   end
  
+  # to sanitize params[...] add method sanitize to controller
+  before_filter :sanitize
+
   protected
  
   # TODO: move this logic somewhere else (Domain class?)
@@ -112,5 +115,10 @@ class ApplicationController &lt; ActionController::Base
     end
   end
  
+  private
+
+  def sanitize
+    # dont sanitize anything for default
+  end
  
 end
@@ -67,4 +67,16 @@ class ContentViewerController &lt; PublicController
     redirect_to :action => 'view_page'
   end
  
+  private
+
+  include ERB::Util
+
+  def sanitize
+    if params[:comment]
+      if params[:comment][:body]
+        params[:comment][:body] = html_escape(params[:comment][:body]) 
+      end
+    end
+  end
+
 end
@@ -187,4 +187,12 @@ class ContentViewerControllerTest &lt; Test::Unit::TestCase
     assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' }
   end
  
+  should 'filter html content from body' do
+    login_as @profile.identifier
+    page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
+    post :view_page, :profile => @profile.identifier, :page => [ 'myarticle' ],
+      :comment => { :title => 'html comment', :body => "this is a <strong id='html_test_comment'>html comment</strong>" }
+    assert_no_tag :tag => 'strong', :attributes => { :id => 'html_test_comment' }
+  end
+
 end
...	...	@@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base
40	40	verify :method => :post, :only => actions, :redirect_to => redirect
41	41	end
42	42
	43	+ # to sanitize params[...] add method sanitize to controller
	44	+ before_filter :sanitize
	45	+
43	46	protected
44	47
45	48	# TODO: move this logic somewhere else (Domain class?)
...	...	@@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base
112	115	end
113	116	end
114	117
	118	+ private
	119	+
	120	+ def sanitize
	121	+ # dont sanitize anything for default
	122	+ end
115	123
116	124	end
...	...
...	...	@@ -67,4 +67,16 @@ class ContentViewerController < PublicController
67	67	redirect_to :action => 'view_page'
68	68	end
69	69
	70	+ private
	71	+
	72	+ include ERB::Util
	73	+
	74	+ def sanitize
	75	+ if params[:comment]
	76	+ if params[:comment][:body]
	77	+ params[:comment][:body] = html_escape(params[:comment][:body])
	78	+ end
	79	+ end
	80	+ end
	81	+
70	82	end
...	...
...	...	@@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase
187	187	assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' }
188	188	end
189	189
	190	+ should 'filter html content from body' do
	191	+ login_as @profile.identifier
	192	+ page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
	193	+ post :view_page, :profile => @profile.identifier, :page => [ 'myarticle' ],
	194	+ :comment => { :title => 'html comment', :body => "this is a <strong id='html_test_comment'>html comment</strong>" }
	195	+ assert_no_tag :tag => 'strong', :attributes => { :id => 'html_test_comment' }
	196	+ end
	197	+
190	198	end
...	...