Commit 88e96a208a5f0f813dc8467552a8709b6d1258ce
1 parent
807a3009
Exists in
master
and in
29 other branches
ActionItem192: sanitizing article tags
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1732 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
15 additions
and
0 deletions
Show diff stats
app/models/article.rb
| 1 | 1 | class Article < ActiveRecord::Base |
| 2 | 2 | |
| 3 | + # xss_terminate plugin can't sanitize array fields | |
| 4 | + before_save :sanitize_tag_list | |
| 5 | + | |
| 3 | 6 | belongs_to :profile |
| 4 | 7 | validates_presence_of :profile_id, :name, :slug, :path |
| 5 | 8 | |
| ... | ... | @@ -109,4 +112,11 @@ class Article < ActiveRecord::Base |
| 109 | 112 | true |
| 110 | 113 | end |
| 111 | 114 | |
| 115 | + private | |
| 116 | + | |
| 117 | + def sanitize_tag_list | |
| 118 | + sanitizer = HTML::FullSanitizer.new | |
| 119 | + self.tag_list.names.map!{|i| sanitizer.sanitize(i) } | |
| 120 | + end | |
| 121 | + | |
| 112 | 122 | end | ... | ... |
test/functional/cms_controller_test.rb
| ... | ... | @@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase |
| 303 | 303 | assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body |
| 304 | 304 | end |
| 305 | 305 | |
| 306 | + should 'sanitize tags' do | |
| 307 | + post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, <strong>tag2</strong>' } | |
| 308 | + assert_sanitized assigns(:article).tag_list.names.join(', ') | |
| 309 | + end | |
| 310 | + | |
| 306 | 311 | end | ... | ... |