Download as
Browse Code »

Commit fa7cddb0f79d4bb6d7750ed6fd41bb63446a6012

Authored by Victor Costa
1 parent 23b9a863
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Sanitize HTML in folder name

Showing 2 changed files with 9 additions and 1 deletions   Show diff stats
app/models/folder.rb
  Diff comments   View file @fa7cddb
@@ -12,7 +12,7 @@ class Folder < Article @@ -12,7 +12,7 @@ class Folder < Article
12 12
13 acts_as_having_settings :field => :setting 13 acts_as_having_settings :field => :setting
14 14
15 - xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation' 15 + xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation'
16 16
17 include WhiteListFilter 17 include WhiteListFilter
18 filter_iframes :body 18 filter_iframes :body
test/unit/folder_test.rb
  Diff comments   View file @fa7cddb
@@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase @@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase
100 assert_includes folder.images(true), community.articles.find_by_name('rails.png') 100 assert_includes folder.images(true), community.articles.find_by_name('rails.png')
101 end 101 end
102 102
  103 + should 'not let pass javascript in the name' do
  104 + folder = Folder.new
  105 + folder.name = "<script> alert(Xss!); </script>"
  106 + folder.valid?
  107 +
  108 + assert_no_match /(<script>)/, folder.name
  109 + end
  110 +
103 should 'not let pass javascript in the body' do 111 should 'not let pass javascript in the body' do
104 folder = Folder.new 112 folder = Folder.new
105 folder.body = "<script> alert(Xss!); </script>" 113 folder.body = "<script> alert(Xss!); </script>"