From 85fd17e19682916a087b505e3a9a9de0ecb68aad Mon Sep 17 00:00:00 2001
From: JoenioCosta <JoenioCosta@3f533792-8f58-4932-b0fe-aaf55b0a4547>
Date: Tue, 22 Apr 2008 20:39:18 +0000
Subject: [PATCH] ActionItem192: filtering html input user from organization profile

---
 app/controllers/my_profile/profile_editor_controller.rb |  5 +++++
 test/functional/profile_editor_controller_test.rb       | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 0 deletions(-)

diff --git a/app/controllers/my_profile/profile_editor_controller.rb b/app/controllers/my_profile/profile_editor_controller.rb
index b6b6728..262f7ea 100644
--- a/app/controllers/my_profile/profile_editor_controller.rb
+++ b/app/controllers/my_profile/profile_editor_controller.rb
@@ -48,6 +48,11 @@ class ProfileEditorController < MyProfileController
   def sanitize
     if params[:info]
       params[:info][:name] = html_escape(params[:info][:name]) if params[:info][:name]
+      params[:info][:contact_person] = html_escape(params[:info][:contact_person]) if params[:info][:contact_person]
+      params[:info][:acronym] = html_escape(params[:info][:acronym]) if params[:info][:acronym]
+      params[:info][:legal_form] = html_escape(params[:info][:legal_form]) if params[:info][:legal_form]
+      params[:info][:economic_activity] = html_escape(params[:info][:economic_activity]) if params[:info][:economic_activity]
+      params[:info][:management_information] = html_escape(params[:info][:management_information]) if params[:info][:management_information]
     end
   end
 
diff --git a/test/functional/profile_editor_controller_test.rb b/test/functional/profile_editor_controller_test.rb
index 92dfb24..ed5398c 100644
--- a/test/functional/profile_editor_controller_test.rb
+++ b/test/functional/profile_editor_controller_test.rb
@@ -99,4 +99,39 @@ class ProfileEditorControllerTest < Test::Unit::TestCase
     assert_not_equal name, assigns(:profile).info.name
   end
 
+  should 'filter html from contact_person to organization' do
+    org = Organization.create!(:name => 'test org', :identifier => 'testorg')
+    contact = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => org.identifier, :info => { :contact_person => contact }
+    assert_not_equal contact, assigns(:profile).info.contact_person
+  end
+
+  should 'filter html from acronym organization' do
+    org = Organization.create!(:name => 'test org', :identifier => 'testorg')
+    value = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => org.identifier, :info => { :acronym => value }
+    assert_not_equal value, assigns(:profile).info.acronym
+  end
+
+  should 'filter html from legal_form organization' do
+    org = Organization.create!(:name => 'test org', :identifier => 'testorg')
+    value = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => org.identifier, :info => { :legal_form => value }
+    assert_not_equal value, assigns(:profile).info.legal_form
+  end
+
+  should 'filter html from economic_activity organization' do
+    org = Organization.create!(:name => 'test org', :identifier => 'testorg')
+    value = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => org.identifier, :info => { :economic_activity => value }
+    assert_not_equal value, assigns(:profile).info.economic_activity
+  end
+
+  should 'filter html from management_information organization' do
+    org = Organization.create!(:name => 'test org', :identifier => 'testorg')
+    value = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => org.identifier, :info => { :management_information => value }
+    assert_not_equal value, assigns(:profile).info.management_information
+  end
+
 end
--
libgit2 0.21.2