Commit b2745d8aee2180ecac09d7ec29f951bd04582674
1 parent
049db1a4
Exists in
master
and in
29 other branches
Filtering events links only with white_list
(ActionItem2684)
Showing
2 changed files
with
8 additions
and
1 deletions
Show diff stats
app/models/event.rb
@@ -14,7 +14,6 @@ class Event < Article | @@ -14,7 +14,6 @@ class Event < Article | ||
14 | maybe_add_http(self.setting[:link]) | 14 | maybe_add_http(self.setting[:link]) |
15 | end | 15 | end |
16 | 16 | ||
17 | - xss_terminate :only => [ :link ], :on => 'validation' | ||
18 | xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' | 17 | xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' |
19 | 18 | ||
20 | def initialize(*args) | 19 | def initialize(*args) |
test/unit/event_test.rb
@@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase | @@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase | ||
248 | assert_equal "<strong> Address <strong>", event.address | 248 | assert_equal "<strong> Address <strong>", event.address |
249 | end | 249 | end |
250 | 250 | ||
251 | + should 'not filter & on link field' do | ||
252 | + event = Event.new | ||
253 | + event.link = 'myevent.com/?param1=value¶m2=value2' | ||
254 | + event.valid? | ||
255 | + | ||
256 | + assert_equal "http://myevent.com/?param1=value¶m2=value2", event.link | ||
257 | + end | ||
258 | + | ||
251 | should 'escape malformed html tags' do | 259 | should 'escape malformed html tags' do |
252 | event = Event.new | 260 | event = Event.new |
253 | event.body = "<h1<< Description >>/h1>" | 261 | event.body = "<h1<< Description >>/h1>" |