Commit 2cbbe257bf5dbe4541aa2712e38cbc7e194aec7c
1 parent
90f3cf82
Exists in
master
and in
28 other branches
ActionItem192: filtering html input user from profile editor
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1675 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing
2 changed files
with
17 additions
and
1 deletions
Show diff stats
app/controllers/my_profile/profile_editor_controller.rb
| ... | ... | @@ -41,5 +41,15 @@ class ProfileEditorController < MyProfileController |
| 41 | 41 | end |
| 42 | 42 | end |
| 43 | 43 | |
| 44 | + private | |
| 45 | + | |
| 46 | + require 'erb' | |
| 47 | + include ERB::Util | |
| 48 | + def sanitize | |
| 49 | + if params[:info] | |
| 50 | + params[:info][:name] = html_escape(params[:info][:name]) if params[:info][:name] | |
| 51 | + end | |
| 52 | + end | |
| 53 | + | |
| 44 | 54 | end |
| 45 | 55 | ... | ... |
test/functional/profile_editor_controller_test.rb
| ... | ... | @@ -52,7 +52,6 @@ class ProfileEditorControllerTest < Test::Unit::TestCase |
| 52 | 52 | assert_template 'person_info' |
| 53 | 53 | assert_response :success |
| 54 | 54 | assert_template 'person_info' |
| 55 | - | |
| 56 | 55 | end |
| 57 | 56 | |
| 58 | 57 | def test_saving_profile_info |
| ... | ... | @@ -93,4 +92,11 @@ class ProfileEditorControllerTest < Test::Unit::TestCase |
| 93 | 92 | assert_includes person.categories, cat2 |
| 94 | 93 | end |
| 95 | 94 | |
| 95 | + should 'filter html from name when edit person_info' do | |
| 96 | + person = create_user('test_profile').person | |
| 97 | + name = "name <strong id='name_html_test'>with</strong> html" | |
| 98 | + post :edit, :profile => person.identifier, :info => { :name => name } | |
| 99 | + assert_not_equal name, assigns(:profile).info.name | |
| 100 | + end | |
| 101 | + | |
| 96 | 102 | end | ... | ... |