From 72e95e0702d55567e10c71f94355b26417384780 Mon Sep 17 00:00:00 2001
From: Rodrigo Souto <rodrigo@colivre.coop.br>
Date: Thu, 18 Mar 2010 12:06:58 -0300
Subject: [PATCH] Folder body filter javascript but not html code

---
 app/models/folder.rb     |  2 ++
 test/unit/folder_test.rb | 15 +++++++++++++++
 2 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/app/models/folder.rb b/app/models/folder.rb
index d02847d..280c7ec 100644
--- a/app/models/folder.rb
+++ b/app/models/folder.rb
@@ -4,6 +4,8 @@ class Folder < Article
 
   settings_items :view_as, :type => :string, :default => 'folder'
 
+  xss_terminate :only => [ :body ], :with => 'white_list'
+
   def self.select_views
     [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
   end
diff --git a/test/unit/folder_test.rb b/test/unit/folder_test.rb
index bc7d31b..8f0b3d3 100644
--- a/test/unit/folder_test.rb
+++ b/test/unit/folder_test.rb
@@ -130,4 +130,19 @@ class FolderTest < ActiveSupport::TestCase
 
     assert_includes folder.images(true), pi
   end
+
+  should 'not let pass javascript in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
+    folder.save!
+    assert_no_match(/<script>/, folder.body)
+  end
+
+  should 'let pass html in the body' do
+    owner = create_user('testuser').person
+    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
+    folder.save!
+    assert_match(/<strong>/, folder.body)
+  end
+
 end
--
libgit2 0.21.2