Download as
Browse Code »

Commit b2745d8aee2180ecac09d7ec29f951bd04582674

Authored by Daniela Feitosa
1 parent 049db1a4
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Filtering events links only with white_list 

(ActionItem2684)
Showing 2 changed files with 8 additions and 1 deletions   Show diff stats
app/models/event.rb
  Diff comments   View file @b2745d8
@@ -14,7 +14,6 @@ class Event < Article @@ -14,7 +14,6 @@ class Event < Article
14 maybe_add_http(self.setting[:link]) 14 maybe_add_http(self.setting[:link])
15 end 15 end
16 16
17 - xss_terminate :only => [ :link ], :on => 'validation'  
18 xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation' 17 xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation'
19 18
20 def initialize(*args) 19 def initialize(*args)
test/unit/event_test.rb
  Diff comments   View file @b2745d8
@@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase @@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase
248 assert_equal "<strong> Address <strong>", event.address 248 assert_equal "<strong> Address <strong>", event.address
249 end 249 end
250 250
  251 + should 'not filter & on link field' do
  252 + event = Event.new
  253 + event.link = 'myevent.com/?param1=value&param2=value2'
  254 + event.valid?
  255 +
  256 + assert_equal "http://myevent.com/?param1=value&param2=value2", event.link
  257 + end
  258 +
251 should 'escape malformed html tags' do 259 should 'escape malformed html tags' do
252 event = Event.new 260 event = Event.new
253 event.body = "<h1<< Description >>/h1>" 261 event.body = "<h1<< Description >>/h1>"