From 72e95e0702d55567e10c71f94355b26417384780 Mon Sep 17 00:00:00 2001 From: Rodrigo Souto Date: Thu, 18 Mar 2010 12:06:58 -0300 Subject: [PATCH] Folder body filter javascript but not html code --- app/models/folder.rb | 2 ++ test/unit/folder_test.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 0 deletions(-) diff --git a/app/models/folder.rb b/app/models/folder.rb index d02847d..280c7ec 100644 --- a/app/models/folder.rb +++ b/app/models/folder.rb @@ -4,6 +4,8 @@ class Folder < Article settings_items :view_as, :type => :string, :default => 'folder' + xss_terminate :only => [ :body ], :with => 'white_list' + def self.select_views [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']] end diff --git a/test/unit/folder_test.rb b/test/unit/folder_test.rb index bc7d31b..8f0b3d3 100644 --- a/test/unit/folder_test.rb +++ b/test/unit/folder_test.rb @@ -130,4 +130,19 @@ class FolderTest < ActiveSupport::TestCase assert_includes folder.images(true), pi end + + should 'not let pass javascript in the body' do + owner = create_user('testuser').person + folder = fast_create(Folder, {:profile_id => owner.id, :body => ''}) + folder.save! + assert_no_match(/