Download as
Browse Code »

Commit 7441ba6c92304870c6110814fd588718d6e7bde3

Authored by Antonio Terceiro
1 parent 4c229767
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Always sanitize HTML in header and footer

Showing 2 changed files with 19 additions and 3 deletions   Show diff stats
app/models/profile.rb
  Diff comments   View file @7441ba6
... ... @@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base
392 392 end
393 393  
394 394 xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
395   - xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
  395 + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
396 396  
397 397 include WhiteListFilter
398 398 filter_iframes :custom_header, :custom_footer
... ...
test/unit/profile_test.rb
  Diff comments   View file @7441ba6
... ... @@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
840 840 assert_equal 'environment footer', profile.custom_footer
841 841 end
842 842  
  843 + should 'sanitize custom header and footer' do
  844 + p = fast_create(Profile)
  845 + script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
  846 + p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
  847 + assert_no_tag_in_string p.custom_header, tag: 'script'
  848 + assert_no_tag_in_string p.custom_footer, tag: 'script'
  849 + end
  850 +
843 851 should 'store theme' do
844 852 p = build(Profile, :theme => 'my-shiny-theme')
845 853 assert_equal 'my-shiny-theme', p.theme
... ... @@ -1555,8 +1563,6 @@ class ProfileTest &lt; ActiveSupport::TestCase
1555 1563 profile.address = "<h1><</h2< Malformed >> html >< tag"
1556 1564 profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
1557 1565 profile.description = "<h1<a> Malformed >> html ></a>< tag"
1558   - profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
1559   - profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
1560 1566 profile.valid?
1561 1567  
1562 1568 assert_no_match /[<>]/, profile.name
... ... @@ -1568,6 +1574,16 @@ class ProfileTest &lt; ActiveSupport::TestCase
1568 1574 assert_no_match /[<>]/, profile.custom_footer
1569 1575 end
1570 1576  
  1577 + should 'escape malformed html tags in header and footer' do
  1578 + profile = fast_create(Profile)
  1579 + profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
  1580 + profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
  1581 + profile.save
  1582 +
  1583 + assert_no_match /[<>]/, profile.custom_header
  1584 + assert_no_match /[<>]/, profile.custom_footer
  1585 + end
  1586 +
1571 1587 should 'not sanitize html comments' do
1572 1588 profile = Profile.new
1573 1589 profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
... ...