Commit 88e96a208a5f0f813dc8467552a8709b6d1258ce

Authored by JoenioCosta
1 parent 807a3009

ActionItem192: sanitizing article tags

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1732 3f533792-8f58-4932-b0fe-aaf55b0a4547
app/models/article.rb
1 class Article < ActiveRecord::Base 1 class Article < ActiveRecord::Base
2 2
  3 + # xss_terminate plugin can't sanitize array fields
  4 + before_save :sanitize_tag_list
  5 +
3 belongs_to :profile 6 belongs_to :profile
4 validates_presence_of :profile_id, :name, :slug, :path 7 validates_presence_of :profile_id, :name, :slug, :path
5 8
@@ -109,4 +112,11 @@ class Article &lt; ActiveRecord::Base @@ -109,4 +112,11 @@ class Article &lt; ActiveRecord::Base
109 true 112 true
110 end 113 end
111 114
  115 + private
  116 +
  117 + def sanitize_tag_list
  118 + sanitizer = HTML::FullSanitizer.new
  119 + self.tag_list.names.map!{|i| sanitizer.sanitize(i) }
  120 + end
  121 +
112 end 122 end
test/functional/cms_controller_test.rb
@@ -303,4 +303,9 @@ class CmsControllerTest &lt; Test::Unit::TestCase @@ -303,4 +303,9 @@ class CmsControllerTest &lt; Test::Unit::TestCase
303 assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body 303 assert_equal "<b>the</b> <strong>of</strong> article ...", assigns(:article).body
304 end 304 end
305 305
  306 + should 'sanitize tags' do
  307 + post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...', :tag_list => 'tag1, <strong>tag2</strong>' }
  308 + assert_sanitized assigns(:article).tag_list.names.join(', ')
  309 + end
  310 +
306 end 311 end