Commit 68833fe4dcbf02cddcef22e2cae774a36e327115

Authored by JoenioCosta
1 parent 224e08e5

ActionItem192: added before_filter to sanitize user input

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1673 3f533792-8f58-4932-b0fe-aaf55b0a4547
app/controllers/application.rb
@@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base @@ -40,6 +40,9 @@ class ApplicationController < ActionController::Base
40 verify :method => :post, :only => actions, :redirect_to => redirect 40 verify :method => :post, :only => actions, :redirect_to => redirect
41 end 41 end
42 42
  43 + # to sanitize params[...] add method sanitize to controller
  44 + before_filter :sanitize
  45 +
43 protected 46 protected
44 47
45 # TODO: move this logic somewhere else (Domain class?) 48 # TODO: move this logic somewhere else (Domain class?)
@@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base @@ -112,5 +115,10 @@ class ApplicationController < ActionController::Base
112 end 115 end
113 end 116 end
114 117
  118 + private
  119 +
  120 + def sanitize
  121 + # dont sanitize anything for default
  122 + end
115 123
116 end 124 end
app/controllers/public/content_viewer_controller.rb
@@ -67,4 +67,16 @@ class ContentViewerController < PublicController @@ -67,4 +67,16 @@ class ContentViewerController < PublicController
67 redirect_to :action => 'view_page' 67 redirect_to :action => 'view_page'
68 end 68 end
69 69
  70 + private
  71 +
  72 + include ERB::Util
  73 +
  74 + def sanitize
  75 + if params[:comment]
  76 + if params[:comment][:body]
  77 + params[:comment][:body] = html_escape(params[:comment][:body])
  78 + end
  79 + end
  80 + end
  81 +
70 end 82 end
test/functional/content_viewer_controller_test.rb
@@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase @@ -187,4 +187,12 @@ class ContentViewerControllerTest < Test::Unit::TestCase
187 assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' } 187 assert_tag :tag => 'div', :attributes => { :class => 'post_comment_box opened' }
188 end 188 end
189 189
  190 + should 'filter html content from body' do
  191 + login_as @profile.identifier
  192 + page = profile.articles.create!(:name => 'myarticle', :body => 'the body of the text')
  193 + post :view_page, :profile => @profile.identifier, :page => [ 'myarticle' ],
  194 + :comment => { :title => 'html comment', :body => "this is a <strong id='html_test_comment'>html comment</strong>" }
  195 + assert_no_tag :tag => 'strong', :attributes => { :id => 'html_test_comment' }
  196 + end
  197 +
190 end 198 end