Commit 88e96a208a5f0f813dc8467552a8709b6d1258ce
1 parent
807a3009
Exists in
master
and in
29 other branches
ActionItem192: sanitizing article tags
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1732 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
15 additions
and
0 deletions
Show diff stats
app/models/article.rb
1 | 1 | class Article < ActiveRecord::Base |
2 | 2 | |
3 | + # xss_terminate plugin can't sanitize array fields | |
4 | + before_save :sanitize_tag_list | |
5 | + | |
3 | 6 | belongs_to :profile |
4 | 7 | validates_presence_of :profile_id, :name, :slug, :path |
5 | 8 | |
... | ... | @@ -109,4 +112,11 @@ class Article < ActiveRecord::Base |
109 | 112 | true |
110 | 113 | end |
111 | 114 | |
115 | + private | |
116 | + | |
117 | + def sanitize_tag_list | |
118 | + sanitizer = HTML::FullSanitizer.new | |
119 | + self.tag_list.names.map!{|i| sanitizer.sanitize(i) } | |
120 | + end | |
121 | + | |
112 | 122 | end | ... | ... |
test/functional/cms_controller_test.rb
... | ... | @@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase |
303 | 303 | assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body |
304 | 304 | end |
305 | 305 | |
306 | + should 'sanitize tags' do | |
307 | + post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, <strong>tag2</strong>' } | |
308 | + assert_sanitized assigns(:article).tag_list.names.join(', ') | |
309 | + end | |
310 | + | |
306 | 311 | end | ... | ... |