From 7441ba6c92304870c6110814fd588718d6e7bde3 Mon Sep 17 00:00:00 2001
From: Antonio Terceiro <terceiro@colivre.coop.br>
Date: Wed, 28 Jan 2015 15:06:58 -0200
Subject: [PATCH] Always sanitize HTML in header and footer

---
 app/models/profile.rb     |  2 +-
 test/unit/profile_test.rb | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/app/models/profile.rb b/app/models/profile.rb
index 4e309de..be476e2 100644
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base
   end
 
   xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
-  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
+  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
 
   include WhiteListFilter
   filter_iframes :custom_header, :custom_footer
diff --git a/test/unit/profile_test.rb b/test/unit/profile_test.rb
index 0e74868..c047f67 100644
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
     assert_equal 'environment footer', profile.custom_footer
   end
 
+  should 'sanitize custom header and footer' do
+    p = fast_create(Profile)
+    script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
+    p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
+    assert_no_tag_in_string p.custom_header, tag: 'script'
+    assert_no_tag_in_string p.custom_footer, tag: 'script'
+  end
+
   should 'store theme' do
     p = build(Profile, :theme => 'my-shiny-theme')
     assert_equal 'my-shiny-theme', p.theme
@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase
     profile.address = "<h1><</h2< Malformed >> html >< tag"
     profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
     profile.description = "<h1<a> Malformed >> html ></a>< tag"
-    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
-    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
     profile.valid?
 
     assert_no_match /[<>]/, profile.name
@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase
     assert_no_match /[<>]/, profile.custom_footer
   end
 
+  should 'escape malformed html tags in header and footer' do
+    profile = fast_create(Profile)
+    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+    profile.save
+
+    assert_no_match /[<>]/, profile.custom_header
+    assert_no_match /[<>]/, profile.custom_footer
+  end
+
   should 'not sanitize html comments' do
     profile = Profile.new
     profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
--
libgit2 0.21.2