Merge branch 'stable'

Antonio Terceiro
2 parents c54209cc 22fe3dfc
Showing 31 changed files with 316 additions and 35 deletions Show diff stats
app/helpers/folder_helper.rb
app/models/article.rb
app/models/comment.rb
app/models/community.rb
app/models/consumption.rb
app/models/environment.rb
app/models/event.rb
app/models/folder.rb
app/models/organization.rb
app/models/product.rb
app/models/profile.rb
app/models/text_article.rb
app/models/tiny_mce_article.rb
app/models/validation_info.rb
app/views/cms/view.rhtml
features/short_filename.feature
test/fixtures/files/AGENDA_CULTURA_-_FESTA_DE_VAQUEIROS_PONTO_DE_SERRA_PRETA_BAIXA.txt
test/unit/application_helper_test.rb
test/unit/article_test.rb
test/unit/comment_test.rb
@@ -19,7 +19,7 @@ module FolderHelper
   def display_article_in_listing(article, recursive = false, level = 0)
     result = content_tag(
       'tr',
-      content_tag('td', link_to(('&nbsp;' * (level * 4) ) + image_tag(icon_for_article(article)) + article.name, article.url.merge(:view => true)))+
+      content_tag('td', link_to(('&nbsp;' * (level * 4) ) + image_tag(icon_for_article(article)) + short_filename(article.name), article.url.merge(:view => true)))+
       content_tag('td', show_date(article.updated_at), :class => 'last-update'),
       :class => 'sitemap-item'
     )
@@ -69,4 +69,11 @@ module FolderHelper
     _('Edit folder')
   end
  
+  def short_filename(filename, limit_chars = 43)
+    return filename if filename.size <= limit_chars
+    extname = File.extname(filename)
+    basename = File.basename(filename,extname)
+    str_complement = '(...)'
+    return basename[0..(limit_chars - extname.size - str_complement.size - 1)] + str_complement + extname
+  end
 end
@@ -26,7 +26,7 @@ class Article &lt; ActiveRecord::Base
     article.published_at = article.created_at if article.published_at.nil?
   end
  
-  xss_terminate :only => [ :name ]
+  xss_terminate :only => [ :name ], :on => 'validation'
  
   named_scope :in_category, lambda { |category|
     {:include => 'categories', :conditions => { 'categories.id' => category.id }}
@@ -17,7 +17,7 @@ class Comment &lt; ActiveRecord::Base
     end
   end
  
-  xss_terminate :only => [ :body, :title, :name ]
+  xss_terminate :only => [ :body, :title, :name ], :on => 'validation'
  
   def author_name
     if author
@@ -5,8 +5,6 @@ class Community &lt; Organization
   settings_items :language
   settings_items :zip_code, :city, :state, :country
  
-  xss_terminate :only => [ :name, :address, :contact_phone, :description ]
-
   before_create do |community|
     community.moderated_articles = true if community.environment.enabled?('organizations_are_moderated_by_default')
   end
@@ -22,6 +20,8 @@ class Community &lt; Organization
     community
   end
  
+  xss_terminate :only => [ :name, :address, :contact_phone, :description ], :on => 'validation'
+
   FIELDS = %w[
     city
     state
@@ -4,6 +4,6 @@ class Consumption &lt; ActiveRecord::Base
  
   validates_uniqueness_of :product_category_id, :scope => :profile_id
  
-  xss_terminate :only => [ :aditional_specifications ]
+  xss_terminate :only => [ :aditional_specifications ], :on => 'validation'
  
 end
@@ -471,7 +471,7 @@ class Environment &lt; ActiveRecord::Base
  
   validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? })
  
-  xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list'
+  xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list', :on => 'validation'
  
  
   # #################################################
@@ -6,7 +6,8 @@ class Event &lt; Article
   settings_items :link, :type => :string
   settings_items :address, :type => :string
  
-  xss_terminate :only => [ :description, :link, :address ], :with => 'white_list'
+  xss_terminate :only => [ :link ], :on => 'validation'
+  xss_terminate :only => [ :description, :link, :address ], :with => 'white_list', :on => 'validation'
  
   validates_presence_of :title, :start_date
  
@@ -4,7 +4,7 @@ class Folder &lt; Article
  
   settings_items :view_as, :type => :string, :default => 'folder'
  
-  xss_terminate :only => [ :body ], :with => 'white_list'
+  xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
  
   def self.select_views
     [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
@@ -77,7 +77,7 @@ class Organization &lt; Profile
  
   validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |org| !org.contact_email.blank? })
  
-  xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ]
+  xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ], :on => 'validation'
  
   # Yes, organizations have members.
   #
@@ -31,7 +31,7 @@ class Product &lt; ActiveRecord::Base
  
   acts_as_searchable :fields => [ :name, :description, :category_full_name ]
  
-  xss_terminate :only => [ :name, :description ]
+  xss_terminate :only => [ :name, :description ], :on => 'validation'
  
   acts_as_mappable
  
@@ -294,8 +294,8 @@ class Profile &lt; ActiveRecord::Base
     self.save_without_validation!
   end
  
-  xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ]
-  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
+  xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
+  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
  
   # returns the contact email for this profile.
   #
 # a base class for all text article types.  
 class TextArticle < Article
  
-  xss_terminate :only => [ :name, :abstract, :body ]
+  xss_terminate :only => [ :name, :abstract, :body ], :on => 'validation'
 end
@@ -9,6 +9,6 @@ class TinyMceArticle &lt; TextArticle
   end
  
   xss_terminate :except => [ :abstract, :body ]
-  xss_terminate :only => [ :abstract, :body ], :with => 'white_list'
+  xss_terminate :only => [ :abstract, :body ], :with => 'white_list', :on => 'validation'
  
 end
@@ -3,5 +3,5 @@ class ValidationInfo &lt; ActiveRecord::Base
  
   belongs_to :organization
  
-  xss_terminate :only => [ :validation_methodology, :restrictions ]
+  xss_terminate :only => [ :validation_methodology, :restrictions ], :on => 'validation'
 end
@@ -72,7 +72,7 @@
     <tr>
       <td>
         <%= image_tag(icon_for_article(item)) %>
-        <%= link_to item.name, :action => 'edit', :id => item.id %>
+        <%= link_to short_filename(item.name,30), :action => 'edit', :id => item.id %>
       </td>
       <td>
         <%= item.class.short_description %>
@@ -0,0 +1,21 @@
+Feature: sitemap
+  As a noosfero user
+  I want to list articles
+
+  Background:
+    Given I am on the homepage
+    And the following users
+      | login | name |
+      | joaosilva | Joao Silva |
+    And the following files
+      | owner   | file      | mime      |
+      | joaosilva | AGENDA_CULTURA_-_FESTA_DE_VAQUEIROS_PONTO_DE_SERRA_PRETA_BAIXA.txt | text/plain |
+
+  Scenario: view a folder page
+    When I am on /profile/joaosilva/sitemap
+    Then I should see "AGENDA_CULTURA_-_FESTA_DE_VAQUEIRO(...).txt"
+
+  Scenario: view the CMS
+    Given I am logged in as "joaosilva"
+    When I am on /myprofile/joaosilva/cms
+    Then I should see "AGENDA_CULTURA_-_FEST(...).txt"
@@ -0,0 +1 @@
+test
@@ -558,6 +558,18 @@ class ApplicationHelperTest &lt; Test::Unit::TestCase
     assert_equal environment.theme, current_theme
   end
  
+  should 'trunc to 15 chars the big filename' do
+    assert_equal 'AGENDA(...).mp3', short_filename('AGENDA_CULTURA_-_FESTA_DE_VAQUEIROS_PONTO_DE_SERRA_PRETA_BAIXA.mp3',15)
+  end
+
+  should 'trunc to default limit the big filename' do
+    assert_equal 'AGENDA_CULTURA_-_FESTA_DE_VAQUEIRO(...).mp3', short_filename('AGENDA_CULTURA_-_FESTA_DE_VAQUEIROS_PONTO_DE_SERRA_PRETA_BAIXA.mp3')
+  end
+
+  should 'does not trunc short filename' do
+    assert_equal 'filename.mp3', short_filename('filename.mp3')
+  end
+
   protected
  
   def url_for(args = {})
@@ -859,4 +859,20 @@ class ArticleTest &lt; Test::Unit::TestCase
     assert_no_match /</, article.tags.last.name
   end
  
+  should 'sanitize name before validation' do
+    article = Article.new
+    article.name = "<h1 Bla </h1>"
+    article.valid?
+
+    assert article.errors.invalid?(:name)
+  end
+
+  should 'escape malformed html tags' do
+    article = Article.new
+    article.name = "<h1 Malformed >> html >< tag"
+    article.valid?
+
+    assert_no_match /[<>]/, article.name
+  end
+
 end
@@ -187,4 +187,26 @@ class CommentTest &lt; Test::Unit::TestCase
     assert_no_match(/<script>/, comment.name)
   end
  
+  should 'sanitize required fields before validation' do
+    owner = create_user('testuser').person
+    article = owner.articles.create(:name => 'test', :body => '...')
+    comment = article.comments.new(:title => '<h1 title </h1>', :body => '<h1 body </h1>', :name => '<h1 name </h1>', :email => 'cracker@test.org')
+    comment.valid?
+
+    assert comment.errors.invalid?(:name)
+    assert comment.errors.invalid?(:title)
+    assert comment.errors.invalid?(:body)
+  end
+
+  should 'escape malformed html tags' do
+    owner = create_user('testuser').person
+    article = owner.articles.create(:name => 'test', :body => '...')
+    comment = article.comments.new(:title => '<h1 title </h1>>> sd f <<', :body => '<h1>> sdf><asd>< body </h1>', :name => '<h1 name </h1>>><<dfsf<sd', :email => 'cracker@test.org')
+    comment.valid?
+
+    assert_no_match /[<>]/, comment.title
+    assert_no_match /[<>]/, comment.body
+    assert_no_match /[<>]/, comment.name
+  end
+
 end
@@ -114,7 +114,7 @@ class CommunityTest &lt; Test::Unit::TestCase
   should 'require fields if community needs' do
     e = Environment.default
     e.expects(:required_community_fields).returns(['contact_phone']).at_least_once
-    community = Community.new(:environment => e)
+    community = Community.new(:name => 'My community', :environment => e)
     assert ! community.valid?
     assert community.errors.invalid?(:contact_phone)
  
@@ -200,4 +200,19 @@ class CommunityTest &lt; Test::Unit::TestCase
       community.add_member(person)
     end
   end
+
+  should 'escape malformed html tags' do
+    community = Community.new
+    community.name = "<h1 Malformed >> html >< tag"
+    community.address = "<h1 Malformed >,<<<asfdf> html >< tag"
+    community.contact_phone = "<h1 Malformed<<> >> html >><>< tag"
+    community.description = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    community.valid?
+
+    assert_no_match /[<>]/, community.name
+    assert_no_match /[<>]/, community.address
+    assert_no_match /[<>]/, community.contact_phone
+    assert_no_match /[<>]/, community.description
+  end
+
 end
@@ -3,8 +3,12 @@ require File.dirname(__FILE__) + &#39;/../test_helper&#39;
 class ConsumptionTest < Test::Unit::TestCase
   fixtures :consumptions
  
-  # Replace this with your real tests.
-  def test_truth
-    assert true
+  should 'escape malformed html tags' do
+    consumption = Consumption.new
+    consumption.aditional_specifications = "<h1 Malformed >> html >< tag"
+    consumption.valid?
+
+    assert_no_match /[<>]/, consumption.aditional_specifications
   end
+
 end
@@ -878,4 +878,20 @@ class EnvironmentTest &lt; Test::Unit::TestCase
     assert_equal env.message_for_member_invitation, env.invitation_mail_template(community)
   end
  
+  should 'filter fields with white_list filter' do
+    environment = Environment.new
+    environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise </h1>"
+    environment.valid?
+
+    assert_equal "<h1> Disabled Enterprise </h1>", environment.message_for_disabled_enterprise
+  end
+
+  should 'escape malformed html tags' do
+    environment = Environment.new
+    environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise /h1>"
+    environment.valid?
+
+    assert_no_match /[<>]/, environment.message_for_disabled_enterprise
+  end
+
 end
@@ -222,4 +222,32 @@ class EventTest &lt; ActiveSupport::TestCase
     assert_not_includes profile.events.by_day(today), event_out_of_range
   end
  
+  should 'filter fields with full filter' do
+    event = Event.new
+    event.link = "<h1 Malformed >> html >< tag"
+    event.valid?
+
+    assert_no_match /[<>]/, event.link
+  end
+
+  should 'filter fields with white_list filter' do
+    event = Event.new
+    event.description = "<h1> Description </h1>"
+    event.address = "<strong> Address <strong>"
+    event.valid?
+
+    assert_equal "<h1> Description </h1>", event.description
+    assert_equal "<strong> Address <strong>", event.address
+  end
+
+  should 'escape malformed html tags' do
+    event = Event.new
+    event.description = "<h1<< Description >>/h1>"
+    event.address = "<strong>><< Address <strong>"
+    event.valid?
+
+    assert_no_match /[<>]/, event.description
+    assert_no_match /[<>]/, event.address
+  end
+
 end
@@ -125,17 +125,27 @@ class FolderTest &lt; ActiveSupport::TestCase
   end
  
   should 'not let pass javascript in the body' do
-    owner = create_user('testuser').person
-    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'})
-    folder.save!
-    assert_no_match(/<script>/, folder.body)
+    folder = Folder.new
+    folder.body = "<script> alert(Xss!); </script>"
+    folder.valid?
+
+    assert_no_match /(<script>)/, folder.body
   end
  
-  should 'let pass html in the body' do
-    owner = create_user('testuser').person
-    folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'})
-    folder.save!
-    assert_match(/<strong>/, folder.body)
+  should 'filter fields with white_list filter' do
+    folder = Folder.new
+    folder.body = "<h1> Body </h1>"
+    folder.valid?
+
+    assert_equal "<h1> Body </h1>", folder.body
+  end
+
+  should 'escape malformed html tags' do
+    folder = Folder.new
+    folder.body = "<h1<< Description >>/h1>"
+    folder.valid?
+
+    assert_no_match /[<>]/, folder.body
   end
  
 end
@@ -248,4 +248,24 @@ class OrganizationTest &lt; Test::Unit::TestCase
  
     assert organization.closed
   end
+
+  should 'escape malformed html tags' do
+    organization = Organization.new
+    organization.acronym = "<h1 Malformed >> html >< tag"
+    organization.contact_person = "<h1 Malformed >,<<<asfdf> html >< tag"
+    organization.contact_email = "<h1<malformed@html.com>>"
+    organization.description = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.legal_form = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.economic_activity = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.management_information = "<h1 Malformed /h1>>><<> html ><>h1< tag"
+    organization.valid?
+
+    assert_no_match /[<>]/, organization.acronym
+    assert_no_match /[<>]/, organization.contact_person
+    assert_no_match /[<>]/, organization.contact_email
+    assert_no_match /[<>]/, organization.legal_form
+    assert_no_match /[<>]/, organization.economic_activity
+    assert_no_match /[<>]/, organization.management_information
+  end
+
 end
@@ -193,4 +193,22 @@ class ProductTest &lt; Test::Unit::TestCase
     end
   end
  
+  should 'sanitize name before validation' do
+    product = Product.new
+    product.name = "<h1 Bla </h1>"
+    product.valid?
+
+    assert product.errors.invalid?(:name)
+  end
+
+  should 'escape malformed html tags' do
+    product = Product.new
+    product.name = "<h1 Malformed >> html >< tag"
+    product.description = "<h1 Malformed</h1>><<<a>> >> html >< tag"
+    product.valid?
+
+    assert_no_match /[<>]/, product.name
+    assert_no_match /[<>]/, product.description
+  end
+
 end
@@ -1515,6 +1515,44 @@ class ProfileTest &lt; Test::Unit::TestCase
     assert profile.errors.invalid?(:description)
   end
  
+  should 'sanitize name before validation' do
+    profile = Profile.new
+    profile.name = "<h1 Bla </h1>"
+    profile.valid?
+
+    assert profile.errors.invalid?(:name)
+  end
+
+  should 'filter fields with white_list filter' do
+    profile = Profile.new
+    profile.custom_header = "<h1> Custom Header </h1>"
+    profile.custom_footer = "<strong> Custom Footer <strong>"
+    profile.valid?
+
+    assert_equal "<h1> Custom Header </h1>", profile.custom_header
+    assert_equal "<strong> Custom Footer <strong>", profile.custom_footer
+  end
+
+  should 'escape malformed html tags' do
+    profile = Profile.new
+    profile.name = "<h1 Malformed >> html >>></a>< tag"
+    profile.nickname = "<h1 Malformed <<h1>>< html >< tag"
+    profile.address = "<h1><</h2< Malformed >> html >< tag"
+    profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
+    profile.description = "<h1<a> Malformed >> html ></a>< tag"
+    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+    profile.valid?
+
+    assert_no_match /[<>]/, profile.name
+    assert_no_match /[<>]/, profile.nickname
+    assert_no_match /[<>]/, profile.address
+    assert_no_match /[<>]/, profile.contact_phone
+    assert_no_match /[<>]/, profile.description
+    assert_no_match /[<>]/, profile.custom_header
+    assert_no_match /[<>]/, profile.custom_footer
+  end
+
   private
  
   def assert_invalid_identifier(id)
@@ -26,4 +26,17 @@ class TextArticleTest &lt; Test::Unit::TestCase
     assert_equal "the  article ...", article.body
   end
  
+  should 'escape malformed html tags' do
+    person = create_user('testuser').person
+    article = TextArticle.new(:profile => person)
+    article.name = "<h1 Malformed >> html >>></a>< tag"
+    article.abstract = "<h1 Malformed <<h1>>< html >< tag"
+    article.body = "<h1><</h2< Malformed >> html >< tag"
+    article.valid?
+
+    assert_no_match /[<>]/, article.name
+    assert_no_match /[<>]/, article.abstract
+    assert_no_match /[<>]/, article.body
+  end
+
 end
@@ -21,4 +21,14 @@ class ValidationInfoTest &lt; Test::Unit::TestCase
     end
   end
  
+  should 'escape malformed html tags' do
+    info = ValidationInfo.new
+    info.validation_methodology = "<h1 Malformed >> html >< tag"
+    info.restrictions = "<h1 Malformed >> html >< tag"
+    info.valid?
+
+    assert_no_match /[<>]/, info.validation_methodology
+    assert_no_match /[<>]/, info.restrictions
+  end
+
 end
@@ -38,7 +38,7 @@ module XssTerminate
  
   module InstanceMethods
  
-    def sanitize_field(sanitizer, field, serialized = false)
+    def sanitize_field(sanitizer, field, serialized = false, with= :full)
       field = field.to_sym
       if serialized
         puts field
@@ -49,8 +49,22 @@ module XssTerminate
       else
         if self[field]
           self[field] = sanitizer.sanitize(self[field])
+
+          if with == :full
+            self[field] = CGI.escapeHTML(self[field])
+          elsif with == :white_list
+            self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_tag?(self[field])
+          end
+
         else
           self.send("#{field}=", sanitizer.sanitize(self.send("#{field}")))
+
+          if with == :full
+            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}")))
+          elsif with == :white_list
+            self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_tag?(self.send("#{field}"))
+          end
+
         end
       end
     end
@@ -69,7 +83,7 @@ module XssTerminate
       sanitizer = RailsSanitize.full_sanitizer
       columns, columns_serialized = sanitize_columns(:full)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :full)
       end
     end
  
@@ -77,18 +91,33 @@ module XssTerminate
       sanitizer = RailsSanitize.white_list_sanitizer
       columns, columns_serialized = sanitize_columns(:white_list)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :white_list)
       end
-    end
+   end
  
     def sanitize_fields_with_html5lib
       sanitizer = HTML5libSanitize.new
       columns = sanitize_columns(:html5lib)
       columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
+        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :html5lib)
       end
     end
  
+    def wellformed_html_tag?(field)
+      return true if !field
+
+      counter = 0
+      field.split(//).each do |letter|
+        counter += 1 if letter == '<'
+        counter -= 1 if letter == '>'
+        if counter < 0 ||  1 < counter
+          return false
+        end
+      end
+
+      return counter == 0
+    end
+
   end
  
 end
...	...	@@ -19,7 +19,7 @@ module FolderHelper
19	19	def display_article_in_listing(article, recursive = false, level = 0)
20	20	result = content_tag(
21	21	'tr',
22		- content_tag('td', link_to((' ' * (level * 4) ) + image_tag(icon_for_article(article)) + article.name, article.url.merge(:view => true)))+
	22	+ content_tag('td', link_to((' ' * (level * 4) ) + image_tag(icon_for_article(article)) + short_filename(article.name), article.url.merge(:view => true)))+
23	23	content_tag('td', show_date(article.updated_at), :class => 'last-update'),
24	24	:class => 'sitemap-item'
25	25	)
...	...	@@ -69,4 +69,11 @@ module FolderHelper
69	69	_('Edit folder')
70	70	end
71	71
	72	+ def short_filename(filename, limit_chars = 43)
	73	+ return filename if filename.size <= limit_chars
	74	+ extname = File.extname(filename)
	75	+ basename = File.basename(filename,extname)
	76	+ str_complement = '(...)'
	77	+ return basename[0..(limit_chars - extname.size - str_complement.size - 1)] + str_complement + extname
	78	+ end
72	79	end
...	...
...	...	@@ -26,7 +26,7 @@ class Article < ActiveRecord::Base
26	26	article.published_at = article.created_at if article.published_at.nil?
27	27	end
28	28
29		- xss_terminate :only => [ :name ]
	29	+ xss_terminate :only => [ :name ], :on => 'validation'
30	30
31	31	named_scope :in_category, lambda { \|category\|
32	32	{:include => 'categories', :conditions => { 'categories.id' => category.id }}
...	...
...	...	@@ -17,7 +17,7 @@ class Comment < ActiveRecord::Base
17	17	end
18	18	end
19	19
20		- xss_terminate :only => [ :body, :title, :name ]
	20	+ xss_terminate :only => [ :body, :title, :name ], :on => 'validation'
21	21
22	22	def author_name
23	23	if author
...	...
...	...	@@ -5,8 +5,6 @@ class Community < Organization
5	5	settings_items :language
6	6	settings_items :zip_code, :city, :state, :country
7	7
8		- xss_terminate :only => [ :name, :address, :contact_phone, :description ]
9		-
10	8	before_create do \|community\|
11	9	community.moderated_articles = true if community.environment.enabled?('organizations_are_moderated_by_default')
12	10	end
...	...	@@ -22,6 +20,8 @@ class Community < Organization
22	20	community
23	21	end
24	22
	23	+ xss_terminate :only => [ :name, :address, :contact_phone, :description ], :on => 'validation'
	24	+
25	25	FIELDS = %w[
26	26	city
27	27	state
...	...
...	...	@@ -4,6 +4,6 @@ class Consumption < ActiveRecord::Base
4	4
5	5	validates_uniqueness_of :product_category_id, :scope => :profile_id
6	6
7		- xss_terminate :only => [ :aditional_specifications ]
	7	+ xss_terminate :only => [ :aditional_specifications ], :on => 'validation'
8	8
9	9	end
...	...
...	...	@@ -471,7 +471,7 @@ class Environment < ActiveRecord::Base
471	471
472	472	validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { \|record\| ! record.contact_email.blank? })
473	473
474		- xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list'
	474	+ xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list', :on => 'validation'
475	475
476	476
477	477	# #################################################
...	...
...	...	@@ -6,7 +6,8 @@ class Event < Article
6	6	settings_items :link, :type => :string
7	7	settings_items :address, :type => :string
8	8
9		- xss_terminate :only => [ :description, :link, :address ], :with => 'white_list'
	9	+ xss_terminate :only => [ :link ], :on => 'validation'
	10	+ xss_terminate :only => [ :description, :link, :address ], :with => 'white_list', :on => 'validation'
10	11
11	12	validates_presence_of :title, :start_date
12	13
...	...
...	...	@@ -4,7 +4,7 @@ class Folder < Article
4	4
5	5	settings_items :view_as, :type => :string, :default => 'folder'
6	6
7		- xss_terminate :only => [ :body ], :with => 'white_list'
	7	+ xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
8	8
9	9	def self.select_views
10	10	[[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']]
...	...
...	...	@@ -77,7 +77,7 @@ class Organization < Profile
77	77
78	78	validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { \|org\| !org.contact_email.blank? })
79	79
80		- xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ]
	80	+ xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ], :on => 'validation'
81	81
82	82	# Yes, organizations have members.
83	83	#
...	...
...	...	@@ -31,7 +31,7 @@ class Product < ActiveRecord::Base
31	31
32	32	acts_as_searchable :fields => [ :name, :description, :category_full_name ]
33	33
34		- xss_terminate :only => [ :name, :description ]
	34	+ xss_terminate :only => [ :name, :description ], :on => 'validation'
35	35
36	36	acts_as_mappable
37	37
...	...