ActionItem192: filtering html input user from profile editor

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1675 3f533792-8f58-4932-b0fe-aaf55b0a4547

ActionItem192: filtering html input user from profile editor
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1675 3f533792-8f58-4932-b0fe-aaf55b0a4547
JoenioCosta
1 parent 90f3cf82
Showing 2 changed files with 17 additions and 1 deletions Show diff stats
app/controllers/my_profile/profile_editor_controller.rb
test/functional/profile_editor_controller_test.rb
@@ -41,5 +41,15 @@ class ProfileEditorController &lt; MyProfileController
     end
   end
+  private
+
+  require 'erb'
+  include ERB::Util
+  def sanitize
+    if params[:info]
+      params[:info][:name] = html_escape(params[:info][:name]) if params[:info][:name]
+    end
+  end
+
 end
@@ -52,7 +52,6 @@ class ProfileEditorControllerTest &lt; Test::Unit::TestCase
     assert_template 'person_info'
     assert_response :success
     assert_template 'person_info'
-
   end
   def test_saving_profile_info 
@@ -93,4 +92,11 @@ class ProfileEditorControllerTest &lt; Test::Unit::TestCase
     assert_includes person.categories, cat2
   end
+  should 'filter html from name when edit person_info' do
+    person = create_user('test_profile').person
+    name = "name <strong id='name_html_test'>with</strong> html"
+    post :edit, :profile => person.identifier, :info => { :name => name }
+    assert_not_equal name, assigns(:profile).info.name
+  end
+
 end
	@@ -41,5 +41,15 @@ class ProfileEditorController < MyProfileController		@@ -41,5 +41,15 @@ class ProfileEditorController < MyProfileController
41	end	41	end
42	end	42	end
43		43
		44	+ private
		45	+
		46	+ require 'erb'
		47	+ include ERB::Util
		48	+ def sanitize
		49	+ if params[:info]
		50	+ params[:info][:name] = html_escape(params[:info][:name]) if params[:info][:name]
		51	+ end
		52	+ end
		53	+
44	end	54	end
45		55