From 1821a739dbe153faf74cc802ba17b8f8f067cd5c Mon Sep 17 00:00:00 2001 From: JoenioCosta Date: Thu, 24 Apr 2008 21:43:06 +0000 Subject: [PATCH] ActionItem192: filtering html from enterprise registration fields and add assert_sanitized to test_helper --- app/controllers/my_profile/memberships_controller.rb | 11 +++++++++++ app/controllers/public/enterprise_registration_controller.rb | 12 ++++++++++++ test/functional/consumed_products_controller_test.rb | 2 +- test/functional/enterprise_registration_controller_test.rb | 45 +++++++++++++++++++++++++++++++++++++++++++++ test/functional/enterprise_validation_test.rb | 6 ++---- test/functional/manage_products_controller_test.rb | 4 ++-- test/functional/memberships_controller_test.rb | 13 +++++++++++++ test/functional/profile_editor_controller_test.rb | 12 ++++++------ test/test_helper.rb | 5 +++++ 9 files changed, 97 insertions(+), 13 deletions(-) diff --git a/app/controllers/my_profile/memberships_controller.rb b/app/controllers/my_profile/memberships_controller.rb index 47589e5..4a7bee1 100644 --- a/app/controllers/my_profile/memberships_controller.rb +++ b/app/controllers/my_profile/memberships_controller.rb @@ -24,4 +24,15 @@ class MembershipsController < MyProfileController end end + private + + require 'erb' + include ERB::Util + def sanitize + if params[:community] + params[:community][:name] = html_escape(params[:community][:name]) if params[:community][:name] + params[:community][:description] = html_escape(params[:community][:description]) if params[:community][:description] + end + end + end diff --git a/app/controllers/public/enterprise_registration_controller.rb b/app/controllers/public/enterprise_registration_controller.rb index 7977982..b3a071b 100644 --- a/app/controllers/public/enterprise_registration_controller.rb +++ b/app/controllers/public/enterprise_registration_controller.rb @@ -51,4 +51,16 @@ class EnterpriseRegistrationController < ApplicationController @create_enterprise.save! end + private + + require 'erb' + include ERB::Util + def sanitize + if params[:create_enterprise] + %w[name address contact_phone contact_person acronym foundation_year legal_form economic_activity management_information].each{ |i| + params[:create_enterprise][i] = html_escape(params[:create_enterprise][i]) if params[:create_enterprise][i] + } + end + end + end diff --git a/test/functional/consumed_products_controller_test.rb b/test/functional/consumed_products_controller_test.rb index 6afed4c..e131b8f 100644 --- a/test/functional/consumed_products_controller_test.rb +++ b/test/functional/consumed_products_controller_test.rb @@ -44,7 +44,7 @@ class ConsumedProductsControllerTest < Test::Unit::TestCase product_category = ProductCategory.create!(:name => 'Food', :environment => Environment.default) post :new, :profile => profile.identifier, :consumption => { :product_category_id => product_category.id, :aditional_specifications => 'extra info' } - assert_not_equal assigns(:consumption).aditional_specifications, 'extra info' + assert_sanitized assigns(:consumption).aditional_specifications end should 'destroy product' do diff --git a/test/functional/enterprise_registration_controller_test.rb b/test/functional/enterprise_registration_controller_test.rb index dcb6a8d..1e1173e 100644 --- a/test/functional/enterprise_registration_controller_test.rb +++ b/test/functional/enterprise_registration_controller_test.rb @@ -86,4 +86,49 @@ all_fixtures assert_template 'confirmation' end + should 'filter html from name' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew' } + assert_sanitized assigns(:create_enterprise).name + end + + should 'filter html from address' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :address => 'address' } + assert_sanitized assigns(:create_enterprise).address + end + + should 'filter html from contact_phone' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_phone => 'contact_phone' } + assert_sanitized assigns(:create_enterprise).contact_phone + end + + should 'filter html from contact_person' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :contact_person => 'contact_person' } + assert_sanitized assigns(:create_enterprise).contact_person + end + + should 'filter html from acronym' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :acronym => 'acronym' } + assert_sanitized assigns(:create_enterprise).acronym + end + + should 'filter html from foundation_year' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :foundation_year => 'foundation_year' } + assert_sanitized assigns(:create_enterprise).foundation_year + end + + should 'filter html from legal_form' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :legal_form => 'legal_form' } + assert_sanitized assigns(:create_enterprise).legal_form + end + + should 'filter html from economic_activity' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :economic_activity => 'economic_activity' } + assert_sanitized assigns(:create_enterprise).economic_activity + end + + should 'filter html from management_information' do + post :index, :create_enterprise => { 'name' => 'name', 'identifier' => 'mynew', :management_information => 'management_information' } + assert_sanitized assigns(:create_enterprise).management_information + end + end diff --git a/test/functional/enterprise_validation_test.rb b/test/functional/enterprise_validation_test.rb index f00f7db..55eed40 100644 --- a/test/functional/enterprise_validation_test.rb +++ b/test/functional/enterprise_validation_test.rb @@ -124,16 +124,14 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase info = ValidationInfo.new(:validation_methodology => 'none') @org.expects(:validation_info).returns(info) post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'} - - assert_not_equal assigns(:info).validation_methodology, 'new methodology' + assert_sanitized assigns(:info).validation_methodology end should 'filter html from restriction of the validation info' do info = ValidationInfo.new(:validation_methodology => 'none') @org.expects(:validation_info).returns(info) post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new methodology'} - - assert_not_equal assigns(:info).restrictions, 'new methodology' + assert_sanitized assigns(:info).restrictions end end diff --git a/test/functional/manage_products_controller_test.rb b/test/functional/manage_products_controller_test.rb index f82181c..4381608 100644 --- a/test/functional/manage_products_controller_test.rb +++ b/test/functional/manage_products_controller_test.rb @@ -172,13 +172,13 @@ class ManageProductsControllerTest < Test::Unit::TestCase should 'filter html from name of product' do category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) post 'new', :profile => @enterprise.identifier, :product => { :name => "name bold", :product_category_id => category.id } - assert_not_equal assigns(:product).name, "name bold" + assert_sanitized assigns(:product).name end should 'filter html from description of product' do category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default) post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "descr bold", :product_category_id => category.id } - assert_not_equal assigns(:product).description, "descr bold" + assert_sanitized assigns(:product).description end end diff --git a/test/functional/memberships_controller_test.rb b/test/functional/memberships_controller_test.rb index 40f39e3..f80314c 100644 --- a/test/functional/memberships_controller_test.rb +++ b/test/functional/memberships_controller_test.rb @@ -5,6 +5,7 @@ require 'memberships_controller' class MembershipsController; def rescue_action(e) raise e end; end class MembershipsControllerTest < Test::Unit::TestCase + def setup @controller = MembershipsController.new @request = ActionController::TestRequest.new @@ -61,4 +62,16 @@ class MembershipsControllerTest < Test::Unit::TestCase assert_tag :tag => 'a', :attributes => { :href => "/myprofile/#{profile.identifier}/memberships/new_community" } end + should 'filter html from name' do + login_as(profile.identifier) + post :new_community, :profile => profile.identifier, :community => { :name => 'new community' } + assert_sanitized assigns(:community).name + end + + should 'filter html from description' do + login_as(profile.identifier) + post :new_community, :profile => profile.identifier, :community => { :name => 'new community', :description => 'new community' } + assert_sanitized assigns(:community).description + end + end diff --git a/test/functional/profile_editor_controller_test.rb b/test/functional/profile_editor_controller_test.rb index ed5398c..f537475 100644 --- a/test/functional/profile_editor_controller_test.rb +++ b/test/functional/profile_editor_controller_test.rb @@ -96,42 +96,42 @@ class ProfileEditorControllerTest < Test::Unit::TestCase person = create_user('test_profile').person name = "name with html" post :edit, :profile => person.identifier, :info => { :name => name } - assert_not_equal name, assigns(:profile).info.name + assert_sanitized assigns(:profile).info.name end should 'filter html from contact_person to organization' do org = Organization.create!(:name => 'test org', :identifier => 'testorg') contact = "name with html" post :edit, :profile => org.identifier, :info => { :contact_person => contact } - assert_not_equal contact, assigns(:profile).info.contact_person + assert_sanitized assigns(:profile).info.contact_person end should 'filter html from acronym organization' do org = Organization.create!(:name => 'test org', :identifier => 'testorg') value = "name with html" post :edit, :profile => org.identifier, :info => { :acronym => value } - assert_not_equal value, assigns(:profile).info.acronym + assert_sanitized assigns(:profile).info.acronym end should 'filter html from legal_form organization' do org = Organization.create!(:name => 'test org', :identifier => 'testorg') value = "name with html" post :edit, :profile => org.identifier, :info => { :legal_form => value } - assert_not_equal value, assigns(:profile).info.legal_form + assert_sanitized assigns(:profile).info.legal_form end should 'filter html from economic_activity organization' do org = Organization.create!(:name => 'test org', :identifier => 'testorg') value = "name with html" post :edit, :profile => org.identifier, :info => { :economic_activity => value } - assert_not_equal value, assigns(:profile).info.economic_activity + assert_sanitized assigns(:profile).info.economic_activity end should 'filter html from management_information organization' do org = Organization.create!(:name => 'test org', :identifier => 'testorg') value = "name with html" post :edit, :profile => org.identifier, :info => { :management_information => value } - assert_not_equal value, assigns(:profile).info.management_information + assert_sanitized assigns(:profile).info.management_information end end diff --git a/test/test_helper.rb b/test/test_helper.rb index a3ae91f..acb906c 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -135,6 +135,11 @@ class Test::Unit::TestCase assert_equal parent, child.superclass, "Class #{child} expected to be a subclass of #{parent}" end + # this check only if string has html tag + def assert_sanitized(string) + assert_no_match /<[^>]+\/?>/, string, "String #{string} expected to be sanitized" + end + private def uses_host(name) -- libgit2 0.21.2