Commit b2745d8aee2180ecac09d7ec29f951bd04582674
1 parent
049db1a4
Exists in
master
and in
29 other branches
Filtering events links only with white_list
(ActionItem2684)
Showing
2 changed files
with
8 additions
and
1 deletions
Show diff stats
app/models/event.rb
... | ... | @@ -14,7 +14,6 @@ class Event < Article |
14 | 14 | maybe_add_http(self.setting[:link]) |
15 | 15 | end |
16 | 16 | |
17 | - xss_terminate :only => [ :link ], :on => 'validation' | |
18 | 17 | xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' |
19 | 18 | |
20 | 19 | def initialize(*args) | ... | ... |
test/unit/event_test.rb
... | ... | @@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase |
248 | 248 | assert_equal "<strong> Address <strong>", event.address |
249 | 249 | end |
250 | 250 | |
251 | + should 'not filter & on link field' do | |
252 | + event = Event.new | |
253 | + event.link = 'myevent.com/?param1=value¶m2=value2' | |
254 | + event.valid? | |
255 | + | |
256 | + assert_equal "http://myevent.com/?param1=value¶m2=value2", event.link | |
257 | + end | |
258 | + | |
251 | 259 | should 'escape malformed html tags' do |
252 | 260 | event = Event.new |
253 | 261 | event.body = "<h1<< Description >>/h1>" | ... | ... |