Commit ae454ce9f710a19295ad08d2b09335dc2c43cdd4

Authored by Daniela Feitosa
Committed by Antonio Terceiro
1 parent 62912d1e

ActionItem1245: not allowing javascript

  * on header/footer
  * on articles
  * on events
app/models/article.rb
@@ -26,6 +26,8 @@ class Article < ActiveRecord::Base @@ -26,6 +26,8 @@ class Article < ActiveRecord::Base
26 article.published_at = article.created_at if article.published_at.nil? 26 article.published_at = article.created_at if article.published_at.nil?
27 end 27 end
28 28
  29 + xss_terminate :only => [ :name ]
  30 +
29 def self.human_attribute_name(attrib) 31 def self.human_attribute_name(attrib)
30 case attrib.to_sym 32 case attrib.to_sym
31 when :name 33 when :name
app/models/event.rb
@@ -6,7 +6,7 @@ class Event < Article @@ -6,7 +6,7 @@ class Event < Article
6 settings_items :link, :type => :string 6 settings_items :link, :type => :string
7 settings_items :address, :type => :string 7 settings_items :address, :type => :string
8 8
9 - xss_terminate :only => [ :description ], :with => 'white_list' 9 + xss_terminate :only => [ :description, :link, :address ], :with => 'white_list'
10 10
11 validates_presence_of :title, :start_date 11 validates_presence_of :title, :start_date
12 12
app/models/profile.rb
@@ -269,6 +269,7 @@ class Profile < ActiveRecord::Base @@ -269,6 +269,7 @@ class Profile < ActiveRecord::Base
269 end 269 end
270 270
271 xss_terminate :only => [ :name, :nickname, :address, :contact_phone ] 271 xss_terminate :only => [ :name, :nickname, :address, :contact_phone ]
  272 + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
272 273
273 # returns the contact email for this profile. 274 # returns the contact email for this profile.
274 # 275 #