Always sanitize HTML in header and footer

Antonio Terceiro
1 parent 4c229767
Showing 2 changed files with 19 additions and 3 deletions Show diff stats
app/models/profile.rb
test/unit/profile_test.rb
@@ -392,7 +392,7 @@ class Profile &lt; ActiveRecord::Base
   end
   xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
-  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
+  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
   include WhiteListFilter
   filter_iframes :custom_header, :custom_footer
@@ -840,6 +840,14 @@ class ProfileTest &lt; ActiveSupport::TestCase
     assert_equal 'environment footer', profile.custom_footer
   end
+  should 'sanitize custom header and footer' do
+    p = fast_create(Profile)
+    script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
+    p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
+    assert_no_tag_in_string p.custom_header, tag: 'script'
+    assert_no_tag_in_string p.custom_footer, tag: 'script'
+  end
+
   should 'store theme' do
     p = build(Profile, :theme => 'my-shiny-theme')
     assert_equal 'my-shiny-theme', p.theme
@@ -1555,8 +1563,6 @@ class ProfileTest &lt; ActiveSupport::TestCase
     profile.address = "<h1><</h2< Malformed >> html >< tag"
     profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
     profile.description = "<h1<a> Malformed >> html ></a>< tag"
-    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
-    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
     profile.valid?
     assert_no_match /[<>]/, profile.name
@@ -1568,6 +1574,16 @@ class ProfileTest &lt; ActiveSupport::TestCase
     assert_no_match /[<>]/, profile.custom_footer
   end
+  should 'escape malformed html tags in header and footer' do
+    profile = fast_create(Profile)
+    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+    profile.save
+
+    assert_no_match /[<>]/, profile.custom_header
+    assert_no_match /[<>]/, profile.custom_footer
+  end
+
   should 'not sanitize html comments' do
     profile = Profile.new
     profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
	@@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base		@@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base
392	end	392	end
393		393
394	xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'	394	xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
395	- xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'	395	+ xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
396		396
397	include WhiteListFilter	397	include WhiteListFilter
398	filter_iframes :custom_header, :custom_footer	398	filter_iframes :custom_header, :custom_footer
	@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase		@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
840	assert_equal 'environment footer', profile.custom_footer	840	assert_equal 'environment footer', profile.custom_footer
841	end	841	end
842		842
		843	+ should 'sanitize custom header and footer' do
		844	+ p = fast_create(Profile)
		845	+ script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
		846	+ p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
		847	+ assert_no_tag_in_string p.custom_header, tag: 'script'
		848	+ assert_no_tag_in_string p.custom_footer, tag: 'script'
		849	+ end
		850	+
843	should 'store theme' do	851	should 'store theme' do
844	p = build(Profile, :theme => 'my-shiny-theme')	852	p = build(Profile, :theme => 'my-shiny-theme')
845	assert_equal 'my-shiny-theme', p.theme	853	assert_equal 'my-shiny-theme', p.theme
	@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase		@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase
1555	profile.address = "<h1><</h2< Malformed >> html >< tag"	1563	profile.address = "<h1><</h2< Malformed >> html >< tag"
1556	profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"	1564	profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
1557	profile.description = "<h1<a> Malformed >> html ></a>< tag"	1565	profile.description = "<h1<a> Malformed >> html ></a>< tag"
1558	- profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
1559	- profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
1560	profile.valid?	1566	profile.valid?
1561		1567
1562	assert_no_match /[<>]/, profile.name	1568	assert_no_match /[<>]/, profile.name
	@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase		@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase
1568	assert_no_match /[<>]/, profile.custom_footer	1574	assert_no_match /[<>]/, profile.custom_footer
1569	end	1575	end
1570		1576
		1577	+ should 'escape malformed html tags in header and footer' do
		1578	+ profile = fast_create(Profile)
		1579	+ profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
		1580	+ profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
		1581	+ profile.save
		1582	+
		1583	+ assert_no_match /[<>]/, profile.custom_header
		1584	+ assert_no_match /[<>]/, profile.custom_footer
		1585	+ end
		1586	+
1571	should 'not sanitize html comments' do	1587	should 'not sanitize html comments' do
1572	profile = Profile.new	1588	profile = Profile.new
1573	profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'	1589	profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'