From 03c411eb6321e90b3c1a9405a36d2d50fb2728fa Mon Sep 17 00:00:00 2001
From: Daniela Soares Feitosa <danielafeitosa@colivre.coop.br>
Date: Thu, 27 Aug 2009 15:41:26 -0300
Subject: [PATCH] ActionItem1227: not allowing link to javascript on linkblock

---
 app/models/link_list_block.rb     | 10 +++++++++-
 test/unit/link_list_block_test.rb | 10 ++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/app/models/link_list_block.rb b/app/models/link_list_block.rb
index 0877e3f..a74a9bf 100644
--- a/app/models/link_list_block.rb
+++ b/app/models/link_list_block.rb
@@ -49,7 +49,9 @@ class LinkListBlock < Block
 
   def link_html(link)
     klass = 'icon-' + link[:icon] if link[:icon]
-    link_to(link[:name], expand_address(link[:address]), :class => klass)
+    sanitize_link(
+      link_to(link[:name], expand_address(link[:address]), :class => klass)
+    )
   end
 
   def expand_address(address)
@@ -71,4 +73,10 @@ class LinkListBlock < Block
     end
   end
 
+  private
+
+  def sanitize_link(text)
+    sanitizer = HTML::WhiteListSanitizer.new
+    sanitizer.sanitize(text)
+  end
 end
diff --git a/test/unit/link_list_block_test.rb b/test/unit/link_list_block_test.rb
index e79e074..1e92e1d 100644
--- a/test/unit/link_list_block_test.rb
+++ b/test/unit/link_list_block_test.rb
@@ -57,4 +57,14 @@ class LinkListBlockTest < ActiveSupport::TestCase
     assert_no_match /class="/, l.link_html({:icon => nil, :name => 'test', :address => 'test.com'})
   end
 
+  should 'not add link to javascript' do
+    l = LinkListBlock.new(:links => [{:name => 'link', :address => "javascript:alert('Message test')"}])
+    assert_no_match /javascript/, l.link_html(l.links.first)
+  end
+
+  should 'not add link to onclick' do
+    l = LinkListBlock.new(:links => [{:name => 'link', :address => "#\" onclick=\"alert(123456)"}])
+    assert_no_match /onclick/, l.link_html(l.links.first)
+  end
+
 end
--
libgit2 0.21.2