From 688faaee41448c11504adb3e94ab4d63413b7ffa Mon Sep 17 00:00:00 2001
From: Rodrigo Souto <rodrigo@colivre.coop.br>
Date: Tue, 11 May 2010 12:03:49 -0300
Subject: [PATCH] Fields verification filters malformed html correctly

---
 app/models/article.rb                             |  2 +-
 app/models/comment.rb                             |  2 +-
 app/models/community.rb                           |  4 ++--
 app/models/consumption.rb                         |  2 +-
 app/models/environment.rb                         |  2 +-
 app/models/event.rb                               |  3 ++-
 app/models/folder.rb                              |  2 +-
 app/models/organization.rb                        |  2 +-
 app/models/product.rb                             |  2 +-
 app/models/profile.rb                             |  4 ++--
 app/models/text_article.rb                        |  2 +-
 app/models/tiny_mce_article.rb                    |  2 +-
 app/models/validation_info.rb                     |  2 +-
 test/unit/article_test.rb                         | 16 ++++++++++++++++
 test/unit/comment_test.rb                         | 22 ++++++++++++++++++++++
 test/unit/community_test.rb                       | 17 ++++++++++++++++-
 test/unit/consumption_test.rb                     | 10 +++++++---
 test/unit/environment_test.rb                     | 16 ++++++++++++++++
 test/unit/event_test.rb                           | 28 ++++++++++++++++++++++++++++
 test/unit/folder_test.rb                          | 28 +++++++++++++++++++---------
 test/unit/organization_test.rb                    | 20 ++++++++++++++++++++
 test/unit/product_test.rb                         | 18 ++++++++++++++++++
 test/unit/profile_test.rb                         | 38 ++++++++++++++++++++++++++++++++++++++
 test/unit/text_article_test.rb                    | 13 +++++++++++++
 test/unit/validation_info_test.rb                 | 10 ++++++++++
 vendor/plugins/xss_terminate/lib/xss_terminate.rb | 39 ++++++++++++++++++++++++++++++++++-----
 26 files changed, 273 insertions(+), 33 deletions(-)

diff --git a/app/models/article.rb b/app/models/article.rb
index 6c65a7b..489c462 100644
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -26,7 +26,7 @@ class Article < ActiveRecord::Base
     article.published_at = article.created_at if article.published_at.nil?
   end
 
-  xss_terminate :only => [ :name ]
+  xss_terminate :only => [ :name ], :on => 'validation'
 
   named_scope :in_category, lambda { |category|
     {:include => 'categories', :conditions => { 'categories.id' => category.id }}
diff --git a/app/models/comment.rb b/app/models/comment.rb
index 2ef2928..c07e003 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -17,7 +17,7 @@ class Comment < ActiveRecord::Base
     end
   end
 
-  xss_terminate :only => [ :body, :title, :name ]
+  xss_terminate :only => [ :body, :title, :name ], :on => 'validation'
 
   def author_name
     if author
diff --git a/app/models/community.rb b/app/models/community.rb
index 5fca3ad..9a1e98b 100644
--- a/app/models/community.rb
+++ b/app/models/community.rb
@@ -5,8 +5,6 @@ class Community < Organization
   settings_items :language
   settings_items :zip_code, :city, :state, :country
 
-  xss_terminate :only => [ :name, :address, :contact_phone, :description ]
-
   before_create do |community|
     community.moderated_articles = true if community.environment.enabled?('organizations_are_moderated_by_default')
   end
@@ -22,6 +20,8 @@ class Community < Organization
     community
   end
 
+  xss_terminate :only => [ :name, :address, :contact_phone, :description ], :on => 'validation'
+
   FIELDS = %w[
     city
     state
diff --git a/app/models/consumption.rb b/app/models/consumption.rb
index f2d0778..86a1e70 100644
--- a/app/models/consumption.rb
+++ b/app/models/consumption.rb
@@ -4,6 +4,6 @@ class Consumption < ActiveRecord::Base
 
   validates_uniqueness_of :product_category_id, :scope => :profile_id
 
-  xss_terminate :only => [ :aditional_specifications ]
+  xss_terminate :only => [ :aditional_specifications ], :on => 'validation'
 
 end
diff --git a/app/models/environment.rb b/app/models/environment.rb
index 0d0f345..2fedac7 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -471,7 +471,7 @@ class Environment < ActiveRecord::Base
 
   validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? })
 
-  xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list'
+  xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list', :on => 'validation'
 
 
   # #################################################
diff --git a/app/models/event.rb b/app/models/event.rb
index c304881..f33fdc1 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -6,7 +6,8 @@ class Event < Article
   settings_items :link, :type => :string
   settings_items :address, :type => :string
 
-  xss_terminate :only => [ :description, :link, :address ], :with => 'white_list'
+  xss_terminate :only => [ :link ], :on => 'validation'
+  xss_terminate :only => [ :description, :link, :address ], :with => 'white_list', :on => 'validation'
 
   validates_presence_of :title, :start_date
 
diff --git a/app/models/folder.rb b/app/models/folder.rb
index 91656bd..06da77f 100644
--- a/app/models/folder.rb
+++ b/app/models/folder.rb
@@ -4,7 +4,7 @@ class Folder < Article
 
   settings_items :view_as, :type => :string, :default => 'folder'
 
-  xss_terminate :only => [ :body ], :with => 'white_list'
+  xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
 
   def self.select_views
     [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
diff --git a/app/models/organization.rb b/app/models/organization.rb
index 60dd027..b3ab0cb 100644
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@@ -77,7 +77,7 @@ class Organization < Profile
 
   validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |org| !org.contact_email.blank? })
 
-  xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ]
+  xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ], :on => 'validation'
 
   # Yes, organizations have members.
   #
diff --git a/app/models/product.rb b/app/models/product.rb
index 84529f2..3b4e218 100644
--- a/app/models/product.rb
+++ b/app/models/product.rb
@@ -31,7 +31,7 @@ class Product < ActiveRecord::Base
 
   acts_as_searchable :fields => [ :name, :description, :category_full_name ]
 
-  xss_terminate :only => [ :name, :description ]
+  xss_terminate :only => [ :name, :description ], :on => 'validation'
 
   acts_as_mappable
   
diff --git a/app/models/profile.rb b/app/models/profile.rb
index 1c37053..769d11d 100644
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -294,8 +294,8 @@ class Profile < ActiveRecord::Base
     self.save_without_validation!
   end
 
-  xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ]
-  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
+  xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
+  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
 
   # returns the contact email for this profile.
   #
diff --git a/app/models/text_article.rb b/app/models/text_article.rb
index c919b5e..97050ad 100644
--- a/app/models/text_article.rb
+++ b/app/models/text_article.rb
@@ -1,5 +1,5 @@
 # a base class for all text article types.  
 class TextArticle < Article
 
-  xss_terminate :only => [ :name, :abstract, :body ]
+  xss_terminate :only => [ :name, :abstract, :body ], :on => 'validation'
 end
diff --git a/app/models/tiny_mce_article.rb b/app/models/tiny_mce_article.rb
index 355b28d..489661f 100644
--- a/app/models/tiny_mce_article.rb
+++ b/app/models/tiny_mce_article.rb
@@ -9,6 +9,6 @@ class TinyMceArticle < TextArticle
   end
   
   xss_terminate :except => [ :abstract, :body ]
-  xss_terminate :only => [ :abstract, :body ], :with => 'white_list'
+  xss_terminate :only => [ :abstract, :body ], :with => 'white_list', :on => 'validation'
 
 end
diff --git a/app/models/validation_info.rb b/app/models/validation_info.rb
index 890cd69..d78ccbd 100644
--- a/app/models/validation_info.rb
+++ b/app/models/validation_info.rb
@@ -3,5 +3,5 @@ class ValidationInfo < ActiveRecord::Base
 
   belongs_to :organization
 
-  xss_terminate :only => [ :validation_methodology, :restrictions ]
+  xss_terminate :only => [ :validation_methodology, :restrictions ], :on => 'validation'
 end
diff --git a/test/unit/article_test.rb b/test/unit/article_test.rb
index 0f6859c..346b291 100644
--- a/test/unit/article_test.rb
+++ b/test/unit/article_test.rb
@@ -859,4 +859,20 @@ class ArticleTest < Test::Unit::TestCase
     assert_no_match /</, article.tags.last.name
   end
 
+  should 'sanitize name before validation' do
+    article = Article.new
+    article.name = "<h1 Bla </h1>"
+    article.valid?
+
+    assert article.errors.invalid?(:name)
+  end
+
+  should 'escape malformed html tags' do
+    article = Article.new
+    article.name = "<h1 Malformed >> html >< tag"
+    article.valid?
+
+    assert_no_match /[<>]/, article.name
+  end
+
 end
diff --git a/test/unit/comment_test.rb b/test/unit/comment_test.rb
index ac2b238..43708a5 100644
--- a/test/unit/comment_test.rb
+++ b/test/unit/comment_test.rb
@@ -187,4 +187,26 @@ class CommentTest < Test::Unit::TestCase
     assert_no_match(/<script>/, comment.name)
   end
 
+  should 'sanitize required fields before validation' do
+    owner = create_user('testuser').person
+    article = owner.articles.create(:name => 'test', :body => '...')
+    comment = article.comments.new(:title => '<h1 title </h1>', :body => '<h1 body </h1>', :name => '<h1 name </h1>', :email => 'cracker@test.org')
+    comment.valid?
+
+    assert comment.errors.invalid?(:name)
+    assert comment.errors.invalid?(:title)
+    assert comment.errors.invalid?(:body)
+  end
+
+  should 'escape malformed html tags' do
+    owner = create_user('testuser').person
+    article = owner.articles.create(:name => 'test', :body => '...')
+    comment = article.comments.new(:title => '<h1 title </h1>>> sd f <<', :body => '<h1>> sdf><asd>< body </h1>', :name => '<h1 name </h1>>><<dfsf<sd', :email => 'cracker@test.org')
+    comment.valid?
+
+    assert_no_match /[<>]/, comment.title
+    assert_no_match /[<>]/, comment.body
+    assert_no_match /[<>]/, comment.name
+  end
+
 end
diff --git a/test/unit/community_test.rb b/test/unit/community_test.rb
index 450829f..2e4ef02 100644
--- a/test/unit/community_test.rb
+++ b/test/unit/community_test.rb
@@ -114,7 +114,7 @@ class CommunityTest < Test::Unit::TestCase
   should 'require fields if community needs' do
     e = Environment.default
     e.expects(:required_community_fields).returns(['contact_phone']).at_least_once
-    community = Community.new(:environment => e)
+    community = Community.new(:name => 'My community', :environment => e)
     assert ! community.valid?
     assert community.errors.invalid?(:contact_phone)
 
@@ -200,4 +200,19 @@ class CommunityTest < Test::Unit::TestCase
       community.add_member(person)
     end
   end
+
+  should 'escape malformed html tags' do
+    community = Community.new
+    community.name = "<h1 Malformed >> html >< tag"
+    community.address = "<h1 Malformed >,<<<asfdf> html >< tag"
+    community.contact_phone = "<h1 Malformed<<> >> html >><>< tag"
+    community.description = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    community.valid?
+
+    assert_no_match /[<>]/, community.name
+    assert_no_match /[<>]/, community.address
+    assert_no_match /[<>]/, community.contact_phone
+    assert_no_match /[<>]/, community.description
+  end
+
 end
diff --git a/test/unit/consumption_test.rb b/test/unit/consumption_test.rb
index dd75d65..34b42e0 100644
--- a/test/unit/consumption_test.rb
+++ b/test/unit/consumption_test.rb
@@ -3,8 +3,12 @@ require File.dirname(__FILE__) + '/../test_helper'
 class ConsumptionTest < Test::Unit::TestCase
   fixtures :consumptions
 
-  # Replace this with your real tests.
-  def test_truth
-    assert true
+  should 'escape malformed html tags' do
+    consumption = Consumption.new
+    consumption.aditional_specifications = "<h1 Malformed >> html >< tag"
+    consumption.valid?
+
+    assert_no_match /[<>]/, consumption.aditional_specifications
   end
+
 end
diff --git a/test/unit/environment_test.rb b/test/unit/environment_test.rb
index fb9e8fa..14eb404 100644
--- a/test/unit/environment_test.rb
+++ b/test/unit/environment_test.rb
@@ -863,4 +863,20 @@ class EnvironmentTest < Test::Unit::TestCase
     assert_equal env.message_for_member_invitation, env.invitation_mail_template(community)
   end
 
+  should 'filter fields with white_list filter' do
+    environment = Environment.new
+    environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise </h1>"
+    environment.valid?
+
+    assert_equal "<h1> Disabled Enterprise </h1>", environment.message_for_disabled_enterprise
+  end
+
+  should 'escape malformed html tags' do
+    environment = Environment.new
+    environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise /h1>"
+    environment.valid?
+
+    assert_no_match /[<>]/, environment.message_for_disabled_enterprise
+  end
+
 end
diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb
index 6357730..43c13df 100644
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -222,4 +222,32 @@ class EventTest < ActiveSupport::TestCase
     assert_not_includes profile.events.by_day(today), event_out_of_range
   end
 
+  should 'filter fields with full filter' do
+    event = Event.new
+    event.link = "<h1 Malformed >> html >< tag"
+    event.valid?
+
+    assert_no_match /[<>]/, event.link
+  end
+
+  should 'filter fields with white_list filter' do
+    event = Event.new
+    event.description = "<h1> Description </h1>"
+    event.address = "<strong> Address <strong>"
+    event.valid?
+
+    assert_equal "<h1> Description </h1>", event.description
+    assert_equal "<strong> Address <strong>", event.address
+  end
+
+  should 'escape malformed html tags' do
+    event = Event.new
+    event.description = "<h1<< Description >>/h1>"
+    event.address = "<strong>><< Address <strong>"
+    event.valid?
+
+    assert_no_match /[<>]/, event.description
+    assert_no_match /[<>]/, event.address
+  end
+
 end
diff --git a/test/unit/folder_test.rb b/test/unit/folder_test.rb
index e4d1c80..146db28 100644
--- a/test/unit/folder_test.rb
+++ b/test/unit/folder_test.rb
@@ -125,17 +125,27 @@ class FolderTest < ActiveSupport::TestCase
   end
 
   should 'not let pass javascript in the body' do
-    owner = create_user('testuser').person
-    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
-    folder.save!
-    assert_no_match(/<script>/, folder.body)
+    folder = Folder.new
+    folder.body = "<script> alert(Xss!); </script>"
+    folder.valid?
+
+    assert_no_match /(<script>)/, folder.body
   end
 
-  should 'let pass html in the body' do
-    owner = create_user('testuser').person
-    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
-    folder.save!
-    assert_match(/<strong>/, folder.body)
+  should 'filter fields with white_list filter' do
+    folder = Folder.new
+    folder.body = "<h1> Body </h1>"
+    folder.valid?
+
+    assert_equal "<h1> Body </h1>", folder.body
+  end
+
+  should 'escape malformed html tags' do
+    folder = Folder.new
+    folder.body = "<h1<< Description >>/h1>"
+    folder.valid?
+
+    assert_no_match /[<>]/, folder.body
   end
 
 end
diff --git a/test/unit/organization_test.rb b/test/unit/organization_test.rb
index a5d267f..1c42e83 100644
--- a/test/unit/organization_test.rb
+++ b/test/unit/organization_test.rb
@@ -248,4 +248,24 @@ class OrganizationTest < Test::Unit::TestCase
 
     assert organization.closed
   end
+
+  should 'escape malformed html tags' do
+    organization = Organization.new
+    organization.acronym = "<h1 Malformed >> html >< tag"
+    organization.contact_person = "<h1 Malformed >,<<<asfdf> html >< tag"
+    organization.contact_email = "<h1<malformed@html.com>>"
+    organization.description = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.legal_form = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.economic_activity = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.management_information = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.valid?
+
+    assert_no_match /[<>]/, organization.acronym
+    assert_no_match /[<>]/, organization.contact_person
+    assert_no_match /[<>]/, organization.contact_email
+    assert_no_match /[<>]/, organization.legal_form
+    assert_no_match /[<>]/, organization.economic_activity
+    assert_no_match /[<>]/, organization.management_information
+  end
+
 end
diff --git a/test/unit/product_test.rb b/test/unit/product_test.rb
index bdb3ae2..fe71ec0 100644
--- a/test/unit/product_test.rb
+++ b/test/unit/product_test.rb
@@ -193,4 +193,22 @@ class ProductTest < Test::Unit::TestCase
     end
   end
 
+  should 'sanitize name before validation' do
+    product = Product.new
+    product.name = "<h1 Bla </h1>"
+    product.valid?
+
+    assert product.errors.invalid?(:name)
+  end
+
+  should 'escape malformed html tags' do
+    product = Product.new
+    product.name = "<h1 Malformed >> html >< tag"
+    product.description = "<h1 Malformed</h1>><<<a>> >> html >< tag"
+    product.valid?
+
+    assert_no_match /[<>]/, product.name
+    assert_no_match /[<>]/, product.description
+  end
+
 end
diff --git a/test/unit/profile_test.rb b/test/unit/profile_test.rb
index 4c7279e..1f183ac 100644
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -1515,6 +1515,44 @@ class ProfileTest < Test::Unit::TestCase
     assert profile.errors.invalid?(:description)
   end
 
+  should 'sanitize name before validation' do
+    profile = Profile.new
+    profile.name = "<h1 Bla </h1>"
+    profile.valid?
+
+    assert profile.errors.invalid?(:name)
+  end
+
+  should 'filter fields with white_list filter' do
+    profile = Profile.new
+    profile.custom_header = "<h1> Custom Header </h1>"
+    profile.custom_footer = "<strong> Custom Footer <strong>"
+    profile.valid?
+
+    assert_equal "<h1> Custom Header </h1>", profile.custom_header
+    assert_equal "<strong> Custom Footer <strong>", profile.custom_footer
+  end
+
+  should 'escape malformed html tags' do
+    profile = Profile.new
+    profile.name = "<h1 Malformed >> html >>></a>< tag"
+    profile.nickname = "<h1 Malformed <<h1>>< html >< tag"
+    profile.address = "<h1><</h2< Malformed >> html >< tag"
+    profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
+    profile.description = "<h1<a> Malformed >> html ></a>< tag"
+    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+    profile.valid?
+
+    assert_no_match /[<>]/, profile.name
+    assert_no_match /[<>]/, profile.nickname
+    assert_no_match /[<>]/, profile.address
+    assert_no_match /[<>]/, profile.contact_phone
+    assert_no_match /[<>]/, profile.description
+    assert_no_match /[<>]/, profile.custom_header
+    assert_no_match /[<>]/, profile.custom_footer
+  end
+
   private
 
   def assert_invalid_identifier(id)
diff --git a/test/unit/text_article_test.rb b/test/unit/text_article_test.rb
index 751e73b..6614191 100644
--- a/test/unit/text_article_test.rb
+++ b/test/unit/text_article_test.rb
@@ -26,4 +26,17 @@ class TextArticleTest < Test::Unit::TestCase
     assert_equal "the  article ...", article.body
   end
 
+  should 'escape malformed html tags' do
+    person = create_user('testuser').person
+    article = TextArticle.new(:profile => person)
+    article.name = "<h1 Malformed >> html >>></a>< tag"
+    article.abstract = "<h1 Malformed <<h1>>< html >< tag"
+    article.body = "<h1><</h2< Malformed >> html >< tag"
+    article.valid?
+
+    assert_no_match /[<>]/, article.name
+    assert_no_match /[<>]/, article.abstract
+    assert_no_match /[<>]/, article.body
+  end
+
 end
diff --git a/test/unit/validation_info_test.rb b/test/unit/validation_info_test.rb
index 301a912..6dca63d 100644
--- a/test/unit/validation_info_test.rb
+++ b/test/unit/validation_info_test.rb
@@ -21,4 +21,14 @@ class ValidationInfoTest < Test::Unit::TestCase
     end
   end
 
+  should 'escape malformed html tags' do
+    info = ValidationInfo.new
+    info.validation_methodology = "<h1 Malformed >> html >< tag"
+    info.restrictions = "<h1 Malformed >> html >< tag"
+    info.valid?
+
+    assert_no_match /[<>]/, info.validation_methodology
+    assert_no_match /[<>]/, info.restrictions
+  end
+
 end
diff --git a/vendor/plugins/xss_terminate/lib/xss_terminate.rb b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
index cd8b572..a9c0d6e 100644
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -38,7 +38,7 @@ module XssTerminate
 
   module InstanceMethods
 
-    def sanitize_field(sanitizer, field, serialized = false)
+    def sanitize_field(sanitizer, field, serialized = false, with= :full)
       field = field.to_sym
       if serialized
         puts field
@@ -49,8 +49,22 @@ module XssTerminate
       else
         if self[field]
           self[field] = sanitizer.sanitize(self[field])
+
+          if with == :full
+            self[field] = CGI.escapeHTML(self[field])
+          elsif with == :white_list
+            self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_tag?(self[field])
+          end
+
         else
           self.send("#{field}=", sanitizer.sanitize(self.send("#{field}")))
+
+          if with == :full
+            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}")))
+          elsif with == :white_list
+            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_tag?(self.send("#{field}"))
+          end
+
         end
       end
     end
@@ -69,7 +83,7 @@ module XssTerminate
       sanitizer = RailsSanitize.full_sanitizer
       columns, columns_serialized = sanitize_columns(:full)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :full)
       end
     end
 
@@ -77,18 +91,33 @@ module XssTerminate
       sanitizer = RailsSanitize.white_list_sanitizer
       columns, columns_serialized = sanitize_columns(:white_list)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :white_list)
       end
-    end
+   end
 
     def sanitize_fields_with_html5lib
       sanitizer = HTML5libSanitize.new
       columns = sanitize_columns(:html5lib)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :html5lib)
       end
     end
 
+    def wellformed_html_tag?(field)
+      return true if !field
+
+      counter = 0
+      field.split(//).each do |letter|
+        counter += 1 if letter == '<'
+        counter -= 1 if letter == '>'
+        if counter < 0 ||  1 < counter
+          return false
+        end
+      end
+
+      return counter == 0
+    end
+
   end
 
 end
--
libgit2 0.21.2