Download as
Browse Code »

Commit 72e95e0702d55567e10c71f94355b26417384780

Authored by Rodrigo Souto
Committed by Antonio Terceiro
1 parent d0f8d245
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Folder body filter javascript but not html code 

* Used xss_terminate with the option 'white_list' that only filters
	  the bad html codes.

(ActionItem1437)
Showing 2 changed files with 17 additions and 0 deletions   Show diff stats
app/models/folder.rb
  Diff comments   View file @72e95e0
... ... @@ -4,6 +4,8 @@ class Folder < Article
4 4  
5 5 settings_items :view_as, :type => :string, :default => 'folder'
6 6  
  7 + xss_terminate :only => [ :body ], :with => 'white_list'
  8 +
7 9 def self.select_views
8 10 [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
9 11 end
... ...
test/unit/folder_test.rb
  Diff comments   View file @72e95e0
... ... @@ -130,4 +130,19 @@ class FolderTest < ActiveSupport::TestCase
130 130  
131 131 assert_includes folder.images(true), pi
132 132 end
  133 +
  134 + should 'not let pass javascript in the body' do
  135 + owner = create_user('testuser').person
  136 + folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
  137 + folder.save!
  138 + assert_no_match(/<script>/, folder.body)
  139 + end
  140 +
  141 + should 'let pass html in the body' do
  142 + owner = create_user('testuser').person
  143 + folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
  144 + folder.save!
  145 + assert_match(/<strong>/, folder.body)
  146 + end
  147 +
133 148 end
... ...