ActionItem192: filtering html input user from validation info

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1679 3f533792-8f58-4932-b0fe-aaf55b0a4547

ActionItem192: filtering html input user from validation info
git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1679 3f533792-8f58-4932-b0fe-aaf55b0a4547
JoenioCosta
1 parent 6d246d56
Showing 2 changed files with 28 additions and 1 deletions Show diff stats
app/controllers/my_profile/enterprise_validation_controller.rb
test/functional/enterprise_validation_test.rb
@@ -60,4 +60,15 @@ class EnterpriseValidationController &lt; MyProfileController
     end
   end
  
+  private
+
+  require 'erb'
+  include ERB::Util
+  def sanitize
+    if params[:info]
+      params[:info][:validation_methodology] = html_escape(params[:info][:validation_methodology]) if params[:info][:validation_methodology]
+      params[:info][:restrictions] = html_escape(params[:info][:restrictions]) if params[:info][:restrictions]
+    end
+  end
+
 end
@@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest &lt; Test::Unit::TestCase
   should 'save an alteration of the validation info' do
     info = ValidationInfo.new(:validation_methodology => 'none')
     @org.expects(:validation_info).returns(info)
-    post :edit_validation_info, :profile => 'myorg', :validation_info => {:validatin_methodology => 'new methodaology'}
+    post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
  
     assert_response :redirect
     assert_redirected_to :action => 'index'
@@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest &lt; Test::Unit::TestCase
     assert_equal info, assigns(:info)
   end
  
+  should 'filter html from methodology of the validation info' do
+    info = ValidationInfo.new(:validation_methodology => 'none')
+    @org.expects(:validation_info).returns(info)
+    post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'}
+
+    assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>'
+  end
+
+  should 'filter html from restriction of the validation info' do
+    info = ValidationInfo.new(:validation_methodology => 'none')
+    @org.expects(:validation_info).returns(info)
+    post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'}
+
+    assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>'
+  end
+
 end
...	...	@@ -60,4 +60,15 @@ class EnterpriseValidationController < MyProfileController
60	60	end
61	61	end
62	62
	63	+ private
	64	+
	65	+ require 'erb'
	66	+ include ERB::Util
	67	+ def sanitize
	68	+ if params[:info]
	69	+ params[:info][:validation_methodology] = html_escape(params[:info][:validation_methodology]) if params[:info][:validation_methodology]
	70	+ params[:info][:restrictions] = html_escape(params[:info][:restrictions]) if params[:info][:restrictions]
	71	+ end
	72	+ end
	73	+
63	74	end
...	...
...	...	@@ -104,7 +104,7 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
104	104	should 'save an alteration of the validation info' do
105	105	info = ValidationInfo.new(:validation_methodology => 'none')
106	106	@org.expects(:validation_info).returns(info)
107		- post :edit_validation_info, :profile => 'myorg', :validation_info => {:validatin_methodology => 'new methodaology'}
	107	+ post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new methodology'}
108	108
109	109	assert_response :redirect
110	110	assert_redirected_to :action => 'index'
...	...	@@ -120,4 +120,20 @@ class EnterpriseValidationControllerTest < Test::Unit::TestCase
120	120	assert_equal info, assigns(:info)
121	121	end
122	122
	123	+ should 'filter html from methodology of the validation info' do
	124	+ info = ValidationInfo.new(:validation_methodology => 'none')
	125	+ @org.expects(:validation_info).returns(info)
	126	+ post :edit_validation_info, :profile => 'myorg', :info => {:validation_methodology => 'new <b>methodology</b>'}
	127	+
	128	+ assert_not_equal assigns(:info).validation_methodology, 'new <b>methodology</b>'
	129	+ end
	130	+
	131	+ should 'filter html from restriction of the validation info' do
	132	+ info = ValidationInfo.new(:validation_methodology => 'none')
	133	+ @org.expects(:validation_info).returns(info)
	134	+ post :edit_validation_info, :profile => 'myorg', :info => {:restrictions => 'new <b>methodology</b>'}
	135	+
	136	+ assert_not_equal assigns(:info).restrictions, 'new <b>methodology</b>'
	137	+ end
	138	+
123	139	end
...	...