Download as
Browse Code »

Commit b59e47352e878ff0455cfe5bf4e1fcb40bcc165f

Authored by Joenio Costa
Committed by Antonio Terceiro
1 parent 3133d012
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Stripping HTML tags from article's tag names 

(ActionItem1476)
Showing 4 changed files with 35 additions and 2 deletions   Show diff stats
app/models/article.rb
  Diff comments   View file @b59e473
... ... @@ -348,7 +348,11 @@ class Article < ActiveRecord::Base
348 348  
349 349 def sanitize_tag_list
350 350 sanitizer = HTML::FullSanitizer.new
351   - self.tag_list.names.map!{|i| sanitizer.sanitize(i) }
  351 + self.tag_list.names.map!{|i| strip_tag_name sanitizer.sanitize(i) }
  352 + end
  353 +
  354 + def strip_tag_name(tag_name)
  355 + tag_name.gsub(/[<>]/, '')
352 356 end
353 357  
354 358 end
... ...
db/migrate/20100413231206_strip_html_from_tag_names.rb 0 → 100644
  Diff comments   View file @b59e473
... ... @@ -0,0 +1,12 @@
  1 +class StripHtmlFromTagNames < ActiveRecord::Migration
  2 + def self.up
  3 + Tag.all(:conditions => "name LIKE '%<%' OR name LIKE '%>%'").each do |tag|
  4 + tag.name = tag.name.gsub(/[<>]/, '')
  5 + tag.save
  6 + end
  7 + end
  8 +
  9 + def self.down
  10 + say "WARNING: cannot undo this migration"
  11 + end
  12 +end
... ...
db/schema.rb
  Diff comments   View file @b59e473
... ... @@ -9,7 +9,7 @@
9 9 #
10 10 # It's strongly recommended to check this file into your version control system.
11 11  
12   -ActiveRecord::Schema.define(:version => 20100326171758) do
  12 +ActiveRecord::Schema.define(:version => 20100413231206) do
13 13  
14 14 create_table "article_versions", :force => true do |t|
15 15 t.integer "article_id"
... ...
test/unit/article_test.rb
  Diff comments   View file @b59e473
... ... @@ -842,4 +842,21 @@ class ArticleTest &lt; Test::Unit::TestCase
842 842  
843 843 assert_equal [ published ], profile.articles.published
844 844 end
  845 +
  846 + should 'sanitize tags after save article' do
  847 + article = fast_create(Article, :slug => 'article-with-tags', :profile_id => profile.id)
  848 + article.tags << Tag.new(:name => "TV Web w<script type='javascript'></script>")
  849 + assert_match /[<>]/, article.tags.last.name
  850 + article.save!
  851 + assert_no_match /[<>]/, article.tags.last.name
  852 + end
  853 +
  854 + should 'strip HTML from tag names after save article' do
  855 + article = fast_create(Article, :slug => 'article-with-tags', :profile_id => profile.id)
  856 + article.tags << Tag.new(:name => "TV Web w<script type=...")
  857 + assert_match /</, article.tags.last.name
  858 + article.save!
  859 + assert_no_match /</, article.tags.last.name
  860 + end
  861 +
845 862 end
... ...