Download as
Browse Code »

Commit ae454ce9f710a19295ad08d2b09335dc2c43cdd4

Authored by Daniela Feitosa
Committed by Antonio Terceiro
1 parent 62912d1e
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem1245: not allowing javascript 

  * on header/footer
  * on articles
  * on events
Showing 3 changed files with 4 additions and 1 deletions   Show diff stats
app/models/article.rb
  Diff comments   View file @ae454ce
@@ -26,6 +26,8 @@ class Article < ActiveRecord::Base @@ -26,6 +26,8 @@ class Article < ActiveRecord::Base
26 article.published_at = article.created_at if article.published_at.nil? 26 article.published_at = article.created_at if article.published_at.nil?
27 end 27 end
28 28
  29 + xss_terminate :only => [ :name ]
  30 +
29 def self.human_attribute_name(attrib) 31 def self.human_attribute_name(attrib)
30 case attrib.to_sym 32 case attrib.to_sym
31 when :name 33 when :name
app/models/event.rb
  Diff comments   View file @ae454ce
@@ -6,7 +6,7 @@ class Event < Article @@ -6,7 +6,7 @@ class Event < Article
6 settings_items :link, :type => :string 6 settings_items :link, :type => :string
7 settings_items :address, :type => :string 7 settings_items :address, :type => :string
8 8
9 - xss_terminate :only => [ :description ], :with => 'white_list' 9 + xss_terminate :only => [ :description, :link, :address ], :with => 'white_list'
10 10
11 validates_presence_of :title, :start_date 11 validates_presence_of :title, :start_date
12 12
app/models/profile.rb
  Diff comments   View file @ae454ce
@@ -269,6 +269,7 @@ class Profile < ActiveRecord::Base @@ -269,6 +269,7 @@ class Profile < ActiveRecord::Base
269 end 269 end
270 270
271 xss_terminate :only => [ :name, :nickname, :address, :contact_phone ] 271 xss_terminate :only => [ :name, :nickname, :address, :contact_phone ]
  272 + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
272 273
273 # returns the contact email for this profile. 274 # returns the contact email for this profile.
274 # 275 #