From 68833fe4dcbf02cddcef22e2cae774a36e327115 Mon Sep 17 00:00:00 2001 From: JoenioCosta Date: Tue, 22 Apr 2008 15:31:32 +0000 Subject: [PATCH] ActionItem192: added before_filter to sanitize user input --- app/controllers/application.rb | 8 ++++++++ app/controllers/public/content_viewer_controller.rb | 12 ++++++++++++ test/functional/content_viewer_controller_test.rb | 8 ++++++++ 3 files changed, 28 insertions(+), 0 deletions(-) diff --git a/app/controllers/application.rb b/app/controllers/application.rb index 26c9e4a..97ad913 100644 --- a/app/controllers/application.rb +++ b/app/controllers/application.rb @@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base verify :method => :post, :only => actions, :redirect_to => redirect end + # to sanitize params[...] add method sanitize to controller + before_filter :sanitize + protected # TODO: move this logic somewhere else (Domain class?) @@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base end end + private + + def sanitize + # dont sanitize anything for default + end end diff --git a/app/controllers/public/content_viewer_controller.rb b/app/controllers/public/content_viewer_controller.rb index f6dc9ea..961ce59 100644 --- a/app/controllers/public/content_viewer_controller.rb +++ b/app/controllers/public/content_viewer_controller.rb @@ -67,4 +67,16 @@ class ContentViewerController < PublicController redirect_to :action => 'view_page' end + private + + include ERB::Util + + def sanitize + if params[:comment] + if params[:comment][:body] + params[:comment][:body] = html_escape(params[:comment][:body]) + end + end + end + end diff --git a/test/functional/content_viewer_controller_test.rb b/test/functional/content_viewer_controller_test.rb index aff28a2..87638f0 100644 --- a/test/functional/content_viewer_controller_test.rb +++ b/test/functional/content_viewer_controller_test.rb @@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' } end + should 'filter html content from body' do + login_as @profile.identifier + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text') + post :view_page, :profile => @profile.identifier, :page => [ 'myarticle' ], + :comment => { :title => 'html comment', :body => "this is a html comment" } + assert_no_tag :tag => 'strong', :attributes => { :id => 'html_test_comment' } + end + end -- libgit2 0.21.2