Commit 68833fe4dcbf02cddcef22e2cae774a36e327115
1 parent
224e08e5
Exists in
master
and in
29 other branches
ActionItem192: added before_filter to sanitize user input
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1673 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
3 changed files
with
28 additions
and
0 deletions
Show diff stats
app/controllers/application.rb
@@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base | @@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base | ||
40 | verify :method => :post, :only => actions, :redirect_to => redirect | 40 | verify :method => :post, :only => actions, :redirect_to => redirect |
41 | end | 41 | end |
42 | 42 | ||
43 | + # to sanitize params[...] add method sanitize to controller | ||
44 | + before_filter :sanitize | ||
45 | + | ||
43 | protected | 46 | protected |
44 | 47 | ||
45 | # TODO: move this logic somewhere else (Domain class?) | 48 | # TODO: move this logic somewhere else (Domain class?) |
@@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base | @@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base | ||
112 | end | 115 | end |
113 | end | 116 | end |
114 | 117 | ||
118 | + private | ||
119 | + | ||
120 | + def sanitize | ||
121 | + # dont sanitize anything for default | ||
122 | + end | ||
115 | 123 | ||
116 | end | 124 | end |
app/controllers/public/content_viewer_controller.rb
@@ -67,4 +67,16 @@ class ContentViewerController < PublicController | @@ -67,4 +67,16 @@ class ContentViewerController < PublicController | ||
67 | redirect_to :action => 'view_page' | 67 | redirect_to :action => 'view_page' |
68 | end | 68 | end |
69 | 69 | ||
70 | + private | ||
71 | + | ||
72 | + include ERB::Util | ||
73 | + | ||
74 | + def sanitize | ||
75 | + if params[:comment] | ||
76 | + if params[:comment][:body] | ||
77 | + params[:comment][:body] = html_escape(params[:comment][:body]) | ||
78 | + end | ||
79 | + end | ||
80 | + end | ||
81 | + | ||
70 | end | 82 | end |
test/functional/content_viewer_controller_test.rb
@@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase | @@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase | ||
187 | assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' } | 187 | assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' } |
188 | end | 188 | end |
189 | 189 | ||
190 | + should 'filter html content from body' do | ||
191 | + login_as @profile.identifier | ||
192 | + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text') | ||
193 | + post :view_page, :profile => @profile.identifier, :page => [ 'myarticle' ], | ||
194 | + :comment => { :title => 'html comment', :body => "this is a <strong id='html_test_comment'>html comment</strong>" } | ||
195 | + assert_no_tag :tag => 'strong', :attributes => { :id => 'html_test_comment' } | ||
196 | + end | ||
197 | + | ||
190 | end | 198 | end |