diff --git a/app/models/article.rb b/app/models/article.rb index 08fd31c..c91440c 100644 --- a/app/models/article.rb +++ b/app/models/article.rb @@ -1,5 +1,8 @@ class Article < ActiveRecord::Base + # xss_terminate plugin can't sanitize array fields + before_save :sanitize_tag_list + belongs_to :profile validates_presence_of :profile_id, :name, :slug, :path @@ -109,4 +112,11 @@ class Article < ActiveRecord::Base true end + private + + def sanitize_tag_list + sanitizer = HTML::FullSanitizer.new + self.tag_list.names.map!{|i| sanitizer.sanitize(i) } + end + end diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb index 8f11b7a..0165794 100644 --- a/test/functional/cms_controller_test.rb +++ b/test/functional/cms_controller_test.rb @@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase assert_equal "the of article ...", assigns(:article).body end + should 'sanitize tags' do + post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, tag2' } + assert_sanitized assigns(:article).tag_list.names.join(', ') + end + end -- libgit2 0.21.2