Download as
Browse Code »

Commit 6d246d56d8d3c9f1669a9e97cdd81e59c625ec4d

Authored by JoenioCosta
1 parent 85fd17e1
Exists in master and in 28 other branches 1.2+SPB2, 2_split_by_role, add_fields_in_api, api_fixies, api_pagination, api_private_token, api_tasks, article_hit_count, blog_page_bug, checkbox_to_user_can_edit_page, communities_ratings, communities_ratings_moderation, community_ratings_rebase, fix_cloned_article_parent, fix_gallery_image_url, fix_javascript_categories, fix_optional_fields, fix_suggest_article, fix_user_email_validation, highlight_block_fix, notification_plugin, notification_plugin_rebase, script_to_update, split_by_role, stable, temp_ratings, tests, tests_fixies

ActionItem192: filtering html input user from products 

git-svn-id: https://svn.colivre.coop.br/svn/noosfero/trunk@1678 3f533792-8f58-4932-b0fe-aaf55b0a4547
Showing 2 changed files with 23 additions and 0 deletions   Show diff stats
app/controllers/my_profile/manage_products_controller.rb
  Diff comments   View file @6d246d5
@@ -56,5 +56,16 @@ class ManageProductsController < ApplicationController @@ -56,5 +56,16 @@ class ManageProductsController < ApplicationController
56 @categories = @current_category.children 56 @categories = @current_category.children
57 render :partial => 'subcategories' 57 render :partial => 'subcategories'
58 end 58 end
  59 +
  60 + private
  61 +
  62 + require 'erb'
  63 + include ERB::Util
  64 + def sanitize
  65 + if params[:product]
  66 + params[:product][:name] = html_escape(params[:product][:name]) if params[:product][:name]
  67 + params[:product][:description] = html_escape(params[:product][:description]) if params[:product][:description]
  68 + end
  69 + end
59 70
60 end 71 end
test/functional/manage_products_controller_test.rb
  Diff comments   View file @6d246d5
@@ -169,4 +169,16 @@ class ManageProductsControllerTest < Test::Unit::TestCase @@ -169,4 +169,16 @@ class ManageProductsControllerTest < Test::Unit::TestCase
169 assert_tag :tag => 'input', :attributes => { :type => 'file', :name => 'product[image_builder][uploaded_data]' } 169 assert_tag :tag => 'input', :attributes => { :type => 'file', :name => 'product[image_builder][uploaded_data]' }
170 end 170 end
171 171
  172 + should 'filter html from name of product' do
  173 + category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
  174 + post 'new', :profile => @enterprise.identifier, :product => { :name => "<b id='html_name'>name bold</b>", :product_category_id => category.id }
  175 + assert_not_equal assigns(:product).name, "<b id='html_name'>name bold</b>"
  176 + end
  177 +
  178 + should 'filter html from description of product' do
  179 + category = ProductCategory.create!(:name => 'Category 1', :environment => Environment.default)
  180 + post 'new', :profile => @enterprise.identifier, :product => { :name => 'name', :description => "<b id='html_descr'>descr bold</b>", :product_category_id => category.id }
  181 + assert_not_equal assigns(:product).description, "<b id='html_descr'>descr bold</b>"
  182 + end
  183 +
172 end 184 end