Commit 88e96a208a5f0f813dc8467552a8709b6d1258ce
1 parent
807a3009
Exists in
master
and in
29 other branches
ActionItem192: sanitizing article tags
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1732 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
15 additions
and
0 deletions
Show diff stats
app/models/article.rb
| 1 | class Article < ActiveRecord::Base | 1 | class Article < ActiveRecord::Base |
| 2 | 2 | ||
| 3 | + # xss_terminate plugin can't sanitize array fields | ||
| 4 | + before_save :sanitize_tag_list | ||
| 5 | + | ||
| 3 | belongs_to :profile | 6 | belongs_to :profile |
| 4 | validates_presence_of :profile_id, :name, :slug, :path | 7 | validates_presence_of :profile_id, :name, :slug, :path |
| 5 | 8 | ||
| @@ -109,4 +112,11 @@ class Article < ActiveRecord::Base | @@ -109,4 +112,11 @@ class Article < ActiveRecord::Base | ||
| 109 | true | 112 | true |
| 110 | end | 113 | end |
| 111 | 114 | ||
| 115 | + private | ||
| 116 | + | ||
| 117 | + def sanitize_tag_list | ||
| 118 | + sanitizer = HTML::FullSanitizer.new | ||
| 119 | + self.tag_list.names.map!{|i| sanitizer.sanitize(i) } | ||
| 120 | + end | ||
| 121 | + | ||
| 112 | end | 122 | end |
test/functional/cms_controller_test.rb
| @@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase | @@ -303,4 +303,9 @@ class CmsControllerTest < Test::Unit::TestCase | ||
| 303 | assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body | 303 | assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body |
| 304 | end | 304 | end |
| 305 | 305 | ||
| 306 | + should 'sanitize tags' do | ||
| 307 | + post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, <strong>tag2</strong>' } | ||
| 308 | + assert_sanitized assigns(:article).tag_list.names.join(', ') | ||
| 309 | + end | ||
| 310 | + | ||
| 306 | end | 311 | end |