diff --git a/app/models/article.rb b/app/models/article.rb
index 08fd31c..c91440c 100644
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -1,5 +1,8 @@
class Article < ActiveRecord::Base
+ # xss_terminate plugin can't sanitize array fields
+ before_save :sanitize_tag_list
+
belongs_to :profile
validates_presence_of :profile_id, :name, :slug, :path
@@ -109,4 +112,11 @@ class Article < ActiveRecord::Base
true
end
+ private
+
+ def sanitize_tag_list
+ sanitizer = HTML::FullSanitizer.new
+ self.tag_list.names.map!{|i| sanitizer.sanitize(i) }
+ end
+
end
diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb
index 8f11b7a..0165794 100644
--- a/test/functional/cms_controller_test.rb
+++ b/test/functional/cms_controller_test.rb
@@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase
assert_equal "the of article ...", assigns(:article).body
end
+ should 'sanitize tags' do
+ post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, tag2' }
+ assert_sanitized assigns(:article).tag_list.names.join(', ')
+ end
+
end
--
libgit2 0.21.2