Download as
Browse Code »

Commit 6d246d56d8d3c9f1669a9e97cdd81e59c625ec4d

Authored by JoenioCosta
1 parent 85fd17e1
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem192: filtering html input user from products 

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1678 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 2 changed files with 23 additions and 0 deletions   Show diff stats
app/controllers/my_profile/manage_products_controller.rb
  Diff comments   View file @6d246d5
... ... @@ -56,5 +56,16 @@ class ManageProductsController < ApplicationController
56 56 @categories = @current_category.children
57 57 render :partial => 'subcategories'
58 58 end
  59 +
  60 + private
  61 +
  62 + require 'erb'
  63 + include ERB::Util
  64 + def sanitize
  65 + if params[:product]
  66 + params[:product][:name] = html_escape(params[:product][:name]) if params[:product][:name]
  67 + params[:product][:description] = html_escape(params[:product][:description]) if params[:product][:description]
  68 + end
  69 + end
59 70  
60 71 end
... ...
test/functional/manage_products_controller_test.rb
  Diff comments   View file @6d246d5
... ... @@ -169,4 +169,16 @@ class ManageProductsControllerTest < Test::Unit::TestCase
169 169 assert_tag :tag => 'input', :attributes => { :type => 'file', :name => 'product[image_builder][uploaded_data]' }
170 170 end
171 171  
  172 + should 'filter html from name of product' do
  173 + category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
  174 + post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id }
  175 + assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>"
  176 + end
  177 +
  178 + should 'filter html from description of product' do
  179 + category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
  180 + post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id }
  181 + assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>"
  182 + end
  183 +
172 184 end
... ...