From 7441ba6c92304870c6110814fd588718d6e7bde3 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Wed, 28 Jan 2015 15:06:58 -0200 Subject: [PATCH] Always sanitize HTML in header and footer --- app/models/profile.rb | 2 +- test/unit/profile_test.rb | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/app/models/profile.rb b/app/models/profile.rb index 4e309de..be476e2 100644 --- a/app/models/profile.rb +++ b/app/models/profile.rb @@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base end xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation' - xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation' + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list' include WhiteListFilter filter_iframes :custom_header, :custom_footer diff --git a/test/unit/profile_test.rb b/test/unit/profile_test.rb index 0e74868..c047f67 100644 --- a/test/unit/profile_test.rb +++ b/test/unit/profile_test.rb @@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase assert_equal 'environment footer', profile.custom_footer end + should 'sanitize custom header and footer' do + p = fast_create(Profile) + script_kiddie_code = '' + p.update_header_and_footer(script_kiddie_code, script_kiddie_code) + assert_no_tag_in_string p.custom_header, tag: 'script' + assert_no_tag_in_string p.custom_footer, tag: 'script' + end + should 'store theme' do p = build(Profile, :theme => 'my-shiny-theme') assert_equal 'my-shiny-theme', p.theme @@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase profile.address = "

<> html >< tag" profile.contact_phone = "<>>> html >< tag" profile.description = " Malformed >> html >< tag" - profile.custom_header = "><<> Malformed >> html >< tag" - profile.custom_footer = "

Malformed <><< html >< tag" profile.valid? assert_no_match /[<>]/, profile.name @@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase assert_no_match /[<>]/, profile.custom_footer end + should 'escape malformed html tags in header and footer' do + profile = fast_create(Profile) + profile.custom_header = "><<> Malformed >> html >< tag" + profile.custom_footer = "

Malformed <><< html >< tag" + profile.save + + assert_no_match /[<>]/, profile.custom_header + assert_no_match /[<>]/, profile.custom_footer + end + should 'not sanitize html comments' do profile = Profile.new profile.custom_header = '

Wellformed html code

' -- libgit2 0.21.2