diff --git a/app/models/community.rb b/app/models/community.rb
index 600baf1..6928f8a 100644
--- a/app/models/community.rb
+++ b/app/models/community.rb
@@ -3,7 +3,7 @@ class Community < Organization
settings_items :description
- xss_terminate :only => [ :description ]
+ xss_terminate :only => [ :name, :address, :contact_phone, :description ]
def name=(value)
super(value)
diff --git a/app/models/create_enterprise.rb b/app/models/create_enterprise.rb
index 1865ffe..3d606dc 100644
--- a/app/models/create_enterprise.rb
+++ b/app/models/create_enterprise.rb
@@ -40,7 +40,7 @@ class CreateEnterprise < Task
# check for explanation when rejecting
validates_presence_of :reject_explanation, :if => (lambda { |record| record.status == Task::Status::CANCELLED } )
- xss_terminate :only => [ :acronym, :address, :contact_person, :contact_phone, :economic_activity, :foundation_year, :legal_form, :management_information, :name ], :on => 'validation'
+ xss_terminate :only => [ :acronym, :address, :contact_person, :contact_phone, :economic_activity, :legal_form, :management_information, :name ], :on => 'validation'
def validate
if self.region && self.target
diff --git a/app/models/organization_info.rb b/app/models/organization_info.rb
index 2d67225..c44750f 100644
--- a/app/models/organization_info.rb
+++ b/app/models/organization_info.rb
@@ -5,9 +5,7 @@ class OrganizationInfo < ActiveRecord::Base
validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |info| ! info.contact_email.nil? })
- xss_terminate :only => [ :acronym, :contact_person, :contact_email, :foundation_year, :legal_form, :economic_activity, :management_information ]
-
- #xss_terminate :only => [ :acronym, :contact_person, :contact_phone, :economic_activity, :foundation_year, :legal_form, :management_information, :address, :name ]
+ xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ]
def summary
# FIXME diplays too few fields
diff --git a/app/models/text_article.rb b/app/models/text_article.rb
index 7cbdd88..0c7305c 100644
--- a/app/models/text_article.rb
+++ b/app/models/text_article.rb
@@ -1,4 +1,6 @@
# a base class for all text article types.
class TextArticle < Article
+ xss_terminate :only => [ :name, :abstract, :body ]
+
end
diff --git a/app/models/tiny_mce_article.rb b/app/models/tiny_mce_article.rb
index 792bfc1..355b28d 100644
--- a/app/models/tiny_mce_article.rb
+++ b/app/models/tiny_mce_article.rb
@@ -7,4 +7,8 @@ class TinyMceArticle < TextArticle
def self.description
_('Not accessible for visually impaired users.')
end
+
+ xss_terminate :except => [ :abstract, :body ]
+ xss_terminate :only => [ :abstract, :body ], :with => 'white_list'
+
end
diff --git a/test/functional/admin_controller_test.rb b/test/functional/admin_controller_test.rb
index 08cf8be..a3c4c73 100644
--- a/test/functional/admin_controller_test.rb
+++ b/test/functional/admin_controller_test.rb
@@ -11,16 +11,9 @@ class AdminControllerTest < Test::Unit::TestCase
@response = ActionController::TestResponse.new
end
- def test_local_files_reference
- assert_local_files_reference
- end
-
- def test_valid_xhtml
- assert_valid_xhtml
- end
-
# Replace this with your real tests.
def test_truth
assert true
end
+
end
diff --git a/test/functional/catalog_controller_test.rb b/test/functional/catalog_controller_test.rb
index 82a04b8..71a6b78 100644
--- a/test/functional/catalog_controller_test.rb
+++ b/test/functional/catalog_controller_test.rb
@@ -12,7 +12,8 @@ class CatalogControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ user = create_user('user_test').person
+ assert_local_files_reference :get, :index, :profile => user.identifier
end
def test_valid_xhtml
diff --git a/test/functional/cms_controller_test.rb b/test/functional/cms_controller_test.rb
index 56163a5..8f11b7a 100644
--- a/test/functional/cms_controller_test.rb
+++ b/test/functional/cms_controller_test.rb
@@ -20,7 +20,7 @@ class CmsControllerTest < Test::Unit::TestCase
attr_reader :profile
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => profile.identifier
end
def test_valid_xhtml
@@ -267,5 +267,40 @@ class CmsControllerTest < Test::Unit::TestCase
assert_not_includes saved.categories, c2
assert_includes saved.categories, c3
end
+
+ should 'filter html from textile article name' do
+ post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'a test article', :body => 'the text of the article ...' }
+ assert_sanitized assigns(:article).name
+ end
+
+ should 'filter html from textile article abstract' do
+ post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'article', :abstract => 'abstract', :body => 'the text of the article ...' }
+ assert_sanitized assigns(:article).abstract
+ end
+
+ should 'filter html from textile article body' do
+ post :new, :type => 'TextileArticle', :profile => profile.identifier, :article => { :name => 'article', :abstract => 'abstract', :body => 'the text of the article ...' }
+ assert_sanitized assigns(:article).body
+ end
+
+ should 'filter html with white_list from tiny mce article name' do
+ post :new, :type => 'TinyMceArticle', :profile => profile.identifier, :article => { :name => "test", :body => 'the text of the article ...' }
+ assert_equal "test", assigns(:article).name
+ end
+
+ should 'filter html with white_list from tiny mce article abstract' do
+ post :new, :type => 'TinyMceArticle', :profile => profile.identifier, :article => { :name => 'article', :abstract => " article", :body => 'the text of the article ...' }
+ assert_equal " article", assigns(:article).abstract
+ end
+
+ should 'filter html with white_list from tiny mce article body' do
+ post :new, :type => 'TinyMceArticle', :profile => profile.identifier, :article => { :name => 'article', :abstract => 'abstract', :body => "the of article ..." }
+ assert_equal "the of article ...", assigns(:article).body
+ end
+
+ should 'not filter html tags permitted from tiny mce article body' do
+ post :new, :type => 'TinyMceArticle', :profile => profile.identifier, :article => { :name => 'article', :abstract => 'abstract', :body => "the of article ..." }
+ assert_equal "the of article ...", assigns(:article).body
+ end
end
diff --git a/test/functional/consumed_products_controller_test.rb b/test/functional/consumed_products_controller_test.rb
index 92f8d5a..2007eff 100644
--- a/test/functional/consumed_products_controller_test.rb
+++ b/test/functional/consumed_products_controller_test.rb
@@ -18,7 +18,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase
attr_reader :profile
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => profile.identifier
end
def test_valid_xhtml
diff --git a/test/functional/content_viewer_controller_test.rb b/test/functional/content_viewer_controller_test.rb
index 99288fc..ef0cf47 100644
--- a/test/functional/content_viewer_controller_test.rb
+++ b/test/functional/content_viewer_controller_test.rb
@@ -18,7 +18,9 @@ class ContentViewerControllerTest < Test::Unit::TestCase
attr_reader :profile
def test_local_files_reference
- assert_local_files_reference
+ page = profile.articles.build(:name => 'test')
+ page.save!
+ assert_local_files_reference :get, :view_page, :profile => profile.identifier, :page => [ 'test' ]
end
def test_valid_xhtml
diff --git a/test/functional/enterprise_editor_controller_test.rb b/test/functional/enterprise_editor_controller_test.rb
index 690d1f1..d2c30b6 100644
--- a/test/functional/enterprise_editor_controller_test.rb
+++ b/test/functional/enterprise_editor_controller_test.rb
@@ -12,7 +12,8 @@ class EnterpriseEditorControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ user = create_user('test_user').person
+ assert_local_files_reference :get, :index, :profile => user.identifier
end
def test_valid_xhtml
diff --git a/test/functional/enterprise_registration_controller_test.rb b/test/functional/enterprise_registration_controller_test.rb
index 0f02482..7db8a30 100644
--- a/test/functional/enterprise_registration_controller_test.rb
+++ b/test/functional/enterprise_registration_controller_test.rb
@@ -119,11 +119,6 @@ all_fixtures
assert_sanitized assigns(:create_enterprise).acronym
end
- should 'filter html from foundation_year' do
- post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => 'foundation_year' }
- assert_sanitized assigns(:create_enterprise).foundation_year
- end
-
should 'filter html from legal_form' do
post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => 'legal_form' }
assert_sanitized assigns(:create_enterprise).legal_form
diff --git a/test/functional/enterprise_validation_test.rb b/test/functional/enterprise_validation_test.rb
index c9db894..93cebb4 100644
--- a/test/functional/enterprise_validation_test.rb
+++ b/test/functional/enterprise_validation_test.rb
@@ -20,7 +20,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => 'ze'
end
def test_valid_xhtml
diff --git a/test/functional/manage_products_controller_test.rb b/test/functional/manage_products_controller_test.rb
index b138769..b6214e2 100644
--- a/test/functional/manage_products_controller_test.rb
+++ b/test/functional/manage_products_controller_test.rb
@@ -16,7 +16,7 @@ class ManageProductsControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => 'test_user'
end
def test_valid_xhtml
diff --git a/test/functional/memberships_controller_test.rb b/test/functional/memberships_controller_test.rb
index 2167aeb..9de0c8a 100644
--- a/test/functional/memberships_controller_test.rb
+++ b/test/functional/memberships_controller_test.rb
@@ -17,7 +17,7 @@ class MembershipsControllerTest < Test::Unit::TestCase
attr_reader :profile
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => profile.identifier
end
def test_valid_xhtml
diff --git a/test/functional/my_profile_controller_test.rb b/test/functional/my_profile_controller_test.rb
index b0b9289..bebaf4a 100644
--- a/test/functional/my_profile_controller_test.rb
+++ b/test/functional/my_profile_controller_test.rb
@@ -21,7 +21,10 @@ class MyProfileControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ @controller = OnlyForPersonTestController.new
+ user = create_user('test_user').person
+ assert_local_files_reference :get, :index, :profile => user.identifier
+ #get :index, :profile => user.identifier
end
def test_valid_xhtml
diff --git a/test/functional/profile_design_controller_test.rb b/test/functional/profile_design_controller_test.rb
index 001635f..308726a 100644
--- a/test/functional/profile_design_controller_test.rb
+++ b/test/functional/profile_design_controller_test.rb
@@ -63,7 +63,7 @@ class ProfileDesignControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => 'ze'
end
def test_valid_xhtml
diff --git a/test/functional/profile_editor_controller_test.rb b/test/functional/profile_editor_controller_test.rb
index fe9c0a0..87337ca 100644
--- a/test/functional/profile_editor_controller_test.rb
+++ b/test/functional/profile_editor_controller_test.rb
@@ -15,7 +15,7 @@ class ProfileEditorControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ assert_local_files_reference :get, :index, :profile => 'ze'
end
def test_valid_xhtml
diff --git a/test/functional/profile_members_controller_test.rb b/test/functional/profile_members_controller_test.rb
index f001ac9..b3b8ac9 100644
--- a/test/functional/profile_members_controller_test.rb
+++ b/test/functional/profile_members_controller_test.rb
@@ -12,7 +12,8 @@ class ProfileMembersControllerTest < Test::Unit::TestCase
end
def test_local_files_reference
- assert_local_files_reference
+ user = create_user('test_user').person
+ assert_local_files_reference :get, :index, :profile => user.identifier
end
def test_valid_xhtml
diff --git a/test/functional/public_controller_test.rb b/test/functional/public_controller_test.rb
index acffc24..5256c86 100644
--- a/test/functional/public_controller_test.rb
+++ b/test/functional/public_controller_test.rb
@@ -12,14 +12,6 @@ class PublicControllerTest < Test::Unit::TestCase
@response = ActionController::TestResponse.new
end
- def test_local_files_reference
- assert_local_files_reference
- end
-
- def test_valid_xhtml
- assert_valid_xhtml
- end
-
# Replace this with your real tests.
def test_truth
assert true
diff --git a/test/functional/system_controller_test.rb b/test/functional/system_controller_test.rb
index cc739f3..d70d96a 100644
--- a/test/functional/system_controller_test.rb
+++ b/test/functional/system_controller_test.rb
@@ -11,14 +11,6 @@ class SystemControllerTest < Test::Unit::TestCase
@response = ActionController::TestResponse.new
end
- def test_local_files_reference
- assert_local_files_reference
- end
-
- def test_valid_xhtml
- assert_valid_xhtml
- end
-
# Replace this with your real tests.
def test_truth
assert true
diff --git a/vendor/plugins/xss_terminate/lib/xss_terminate.rb b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
index cde9408..cd8b572 100644
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -15,65 +15,78 @@ module XssTerminate
module ClassMethods
def xss_terminate(options = {})
+ options[:with] ||= 'full'
+ filter_with = 'sanitize_fields_with_' + options[:with]
# :on is util when before_filter dont work for model
case options[:on]
when 'create'
- before_create :sanitize_fields
+ before_create filter_with
when 'validation'
- before_validation :sanitize_fields
+ before_validation filter_with
else
- before_save :sanitize_fields
+ before_save filter_with
end
-
- sanitizer = case options[:with]
- when 'html5lib'
- HTML5libSanitize.new
- when 'white_list'
- RailsSanitize.white_list_sanitizer
- else
- RailsSanitize.full_sanitizer
- end
-
- write_inheritable_attribute(:xss_terminate_options, {
+ write_inheritable_attribute("xss_terminate_#{options[:with]}_options".to_sym, {
:except => (options[:except] || []),
- :only => (options[:only] || options[:sanitize] || []),
- :sanitizer => sanitizer,
-
- :html5lib_sanitize => (options[:html5lib_sanitize] || [])
+ :only => (options[:only] || options[:sanitize] || [])
})
-
- class_inheritable_reader :xss_terminate_options
-
+ class_inheritable_reader "xss_terminate_#{options[:with]}_options".to_sym
include XssTerminate::InstanceMethods
end
+
end
module InstanceMethods
- def sanitize_fields
+ def sanitize_field(sanitizer, field, serialized = false)
+ field = field.to_sym
+ if serialized
+ puts field
+ self[field].each_key { |key|
+ key = key.to_sym
+ self[field][key] = sanitizer.sanitize(self[field][key])
+ }
+ else
+ if self[field]
+ self[field] = sanitizer.sanitize(self[field])
+ else
+ self.send("#{field}=", sanitizer.sanitize(self.send("#{field}")))
+ end
+ end
+ end
- columns = self.class.columns.select{ |i| i.type == :string || i.type == :text }.map{ |i| i.name }
+ def sanitize_columns(with = :full)
columns_serialized = self.class.serialized_attributes.keys
+ only = eval "xss_terminate_#{with}_options[:only]"
+ except = eval "xss_terminate_#{with}_options[:except]"
+ unless except.empty?
+ only.delete_if{ |i| except.include?( i.to_sym ) }
+ end
+ return only, columns_serialized
+ end
- if !xss_terminate_options[:only].empty?
- columns = columns.select{ |i| xss_terminate_options[:only].include?( i.to_sym ) }
- elsif !xss_terminate_options[:except].empty?
- columns.delete_if{ |i| xss_terminate_options[:except].include?( i.to_sym ) }
+ def sanitize_fields_with_full
+ sanitizer = RailsSanitize.full_sanitizer
+ columns, columns_serialized = sanitize_columns(:full)
+ columns.each do |column|
+ sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
end
+ end
+ def sanitize_fields_with_white_list
+ sanitizer = RailsSanitize.white_list_sanitizer
+ columns, columns_serialized = sanitize_columns(:white_list)
columns.each do |column|
- field = column.to_sym
- if columns_serialized.include?(column)
- next unless self[field]
- self[field].each_key { |key|
- key = key.to_sym
- self[field][key] = xss_terminate_options[:sanitizer].sanitize(self[field][key])
- }
- else
- self[field] = xss_terminate_options[:sanitizer].sanitize(self[field])
- end
+ sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
end
+ end
+ def sanitize_fields_with_html5lib
+ sanitizer = HTML5libSanitize.new
+ columns = sanitize_columns(:html5lib)
+ columns.each do |column|
+ sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+ end
end
end
--
libgit2 0.21.2