From 6d246d56d8d3c9f1669a9e97cdd81e59c625ec4d Mon Sep 17 00:00:00 2001
From: JoenioCosta <JoenioCosta@3f533792-8f58-4932-b0fe-aaf55b0a4547>
Date: Tue, 22 Apr 2008 21:00:50 +0000
Subject: [PATCH] ActionItem192: filtering html input user from products

---
 app/controllers/my_profile/manage_products_controller.rb | 11 +++++++++++
 test/functional/manage_products_controller_test.rb       | 12 ++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/app/controllers/my_profile/manage_products_controller.rb b/app/controllers/my_profile/manage_products_controller.rb
index 99cdaa6..7fd68ee 100644
--- a/app/controllers/my_profile/manage_products_controller.rb
+++ b/app/controllers/my_profile/manage_products_controller.rb
@@ -56,5 +56,16 @@ class ManageProductsController < ApplicationController
     @categories = @current_category.children
     render :partial => 'subcategories'
   end
+
+  private
+
+  require 'erb'
+  include ERB::Util
+  def sanitize
+    if params[:product]
+      params[:product][:name] = html_escape(params[:product][:name]) if params[:product][:name]
+      params[:product][:description] = html_escape(params[:product][:description]) if params[:product][:description]
+    end
+  end
  
 end
diff --git a/test/functional/manage_products_controller_test.rb b/test/functional/manage_products_controller_test.rb
index 1a954f4..f82181c 100644
--- a/test/functional/manage_products_controller_test.rb
+++ b/test/functional/manage_products_controller_test.rb
@@ -169,4 +169,16 @@ class ManageProductsControllerTest < Test::Unit::TestCase
     assert_tag :tag => 'input', :attributes => { :type => 'file', :name => 'product[image_builder][uploaded_data]' }
   end
 
+  should 'filter html from name of product' do
+    category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
+    post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id }
+    assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>"
+  end
+
+  should 'filter html from description of product' do
+    category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
+    post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id }
+    assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>"
+  end
+
 end
--
libgit2 0.21.2