Commit ea7f92201154aa30d2677a38752593711b4eb363
Committed by
Antonio Terceiro
1 parent
28c0924f
Exists in
stable-spb-1.4
and in
9 other branches
newsletter: whitelist only text for article in newsletter
The only image for an article in the newsletter has to be the article's image. The lead for the article also can't have any paragraph or other crazy stuff. Instead of manually using gsub to remove undesired tags, I'm using ActionView::Helpers::SanitizeHelper#sanitize and whitelisting only tags for emphasis in text. (cherry picked from commit 4075f24dc1d96791bc361c336efd459a26ffdcd6)
Showing
2 changed files
with
20 additions
and
9 deletions
Show diff stats
plugins/newsletter/lib/newsletter_plugin/newsletter.rb
... | ... | @@ -123,11 +123,11 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
123 | 123 | end |
124 | 124 | |
125 | 125 | def post_with_image(post) |
126 | - content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info'])) | |
126 | + content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info'])) | |
127 | 127 | end |
128 | 128 | |
129 | 129 | def post_without_image(post) |
130 | - content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info'])) | |
130 | + content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info'])) | |
131 | 131 | end |
132 | 132 | |
133 | 133 | def body(data = {}) |
... | ... | @@ -177,10 +177,6 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord |
177 | 177 | last_mailing.nil? ? nil : last_mailing.created_at |
178 | 178 | end |
179 | 179 | |
180 | - def sanitize(html) | |
181 | - html.gsub(/<\/?p>/, '') | |
182 | - end | |
183 | - | |
184 | 180 | def has_posts_in_the_period? |
185 | 181 | ! self.posts.empty? |
186 | 182 | end | ... | ... |
plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
... | ... | @@ -351,15 +351,30 @@ EOS |
351 | 351 | post = fast_create(TextArticle, :parent_id => blog.id, |
352 | 352 | :name => 'the last news 1', |
353 | 353 | :profile_id => community.id, |
354 | - :body => "<p>paragraph of news</p>") | |
354 | + :body => '<p style="text-align: left;">paragraph of news</p>') | |
355 | 355 | |
356 | 356 | newsletter = NewsletterPlugin::Newsletter.create!( |
357 | 357 | :environment => environment, |
358 | 358 | :blog_ids => [blog.id], |
359 | 359 | :person => fast_create(Person)) |
360 | 360 | |
361 | - assert_match /<p>paragraph of news<\/p>/, post.body | |
362 | - assert_not_match /<p>paragraph of news<\/p>/, newsletter.body | |
361 | + assert_match /<p style="text-align: left;">paragraph of news<\/p>/, post.body | |
362 | + assert_not_match /<p style="text-align: left;">paragraph of news<\/p>/, newsletter.body | |
363 | + end | |
364 | + | |
365 | + should 'only include text for posts in HTML generated content' do | |
366 | + environment = fast_create Environment | |
367 | + community = fast_create(Community, :environment_id => environment.id) | |
368 | + blog = fast_create(Blog, :profile_id => community.id) | |
369 | + post = fast_create(TextArticle, :profile_id => community.id, :parent_id => blog.id, :name => 'the last news', :abstract => 'A picture<img src="example.png"> is <em>worth</em> a thousand words. <hr><h1>The main goals of visualization</h1>') | |
370 | + newsletter = NewsletterPlugin::Newsletter.create!( | |
371 | + :environment => environment, | |
372 | + :blog_ids => [blog.id], | |
373 | + :person => fast_create(Person)) | |
374 | + | |
375 | + assert_match /A picture<img src="example.png"> is <em>worth<\/em> a thousand words. <hr><h1>The main goals of visualization<\/h1>/, post.abstract | |
376 | + # Tags for text emphasis are whitelisted | |
377 | + assert_match /A picture is <em>worth<\/em> a thousand words. The main goals of visualization/, newsletter.body | |
363 | 378 | end |
364 | 379 | |
365 | 380 | should 'filter posts when listing posts for newsletter' do | ... | ... |