Download as
Browse Code »

Commit b59e47352e878ff0455cfe5bf4e1fcb40bcc165f

Authored by Joenio Costa
Committed by Antonio Terceiro
1 parent 3133d012
Exists in master and in 28 other branches 1.2+SPB2, 2_split_by_role, add_fields_in_api, api_fixies, api_pagination, api_private_token, api_tasks, article_hit_count, blog_page_bug, checkbox_to_user_can_edit_page, communities_ratings, communities_ratings_moderation, community_ratings_rebase, fix_cloned_article_parent, fix_gallery_image_url, fix_javascript_categories, fix_optional_fields, fix_suggest_article, fix_user_email_validation, highlight_block_fix, notification_plugin, notification_plugin_rebase, script_to_update, split_by_role, stable, temp_ratings, tests, tests_fixies

Stripping HTML tags from article's tag names 

(ActionItem1476)
Showing 4 changed files with 35 additions and 2 deletions   Show diff stats
app/models/article.rb
  Diff comments   View file @b59e473
@@ -348,7 +348,11 @@ class Article < ActiveRecord::Base @@ -348,7 +348,11 @@ class Article < ActiveRecord::Base
348 348
349 def sanitize_tag_list 349 def sanitize_tag_list
350 sanitizer = HTML::FullSanitizer.new 350 sanitizer = HTML::FullSanitizer.new
351 - self.tag_list.names.map!{|i| sanitizer.sanitize(i) } 351 + self.tag_list.names.map!{|i| strip_tag_name sanitizer.sanitize(i) }
  352 + end
  353 +
  354 + def strip_tag_name(tag_name)
  355 + tag_name.gsub(/[<>]/, '')
352 end 356 end
353 357
354 end 358 end
db/migrate/20100413231206_strip_html_from_tag_names.rb 0 → 100644
  Diff comments   View file @b59e473
@@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
  1 +class StripHtmlFromTagNames < ActiveRecord::Migration
  2 + def self.up
  3 + Tag.all(:conditions => "name LIKE '%<%' OR name LIKE '%>%'").each do |tag|
  4 + tag.name = tag.name.gsub(/[<>]/, '')
  5 + tag.save
  6 + end
  7 + end
  8 +
  9 + def self.down
  10 + say "WARNING: cannot undo this migration"
  11 + end
  12 +end
@@ -9,7 +9,7 @@ @@ -9,7 +9,7 @@
9 # 9 #
10 # It's strongly recommended to check this file into your version control system. 10 # It's strongly recommended to check this file into your version control system.
11 11
12 -ActiveRecord::Schema.define(:version => 20100326171758) do 12 +ActiveRecord::Schema.define(:version => 20100413231206) do
13 13
14 create_table "article_versions", :force => true do |t| 14 create_table "article_versions", :force => true do |t|
15 t.integer "article_id" 15 t.integer "article_id"
test/unit/article_test.rb
  Diff comments   View file @b59e473
@@ -842,4 +842,21 @@ class ArticleTest &lt; Test::Unit::TestCase @@ -842,4 +842,21 @@ class ArticleTest &lt; Test::Unit::TestCase
842 842
843 assert_equal [ published ], profile.articles.published 843 assert_equal [ published ], profile.articles.published
844 end 844 end
  845 +
  846 + should 'sanitize tags after save article' do
  847 + article = fast_create(Article, :slug => 'article-with-tags', :profile_id => profile.id)
  848 + article.tags << Tag.new(:name => "TV Web w<script type='javascript'></script>")
  849 + assert_match /[<>]/, article.tags.last.name
  850 + article.save!
  851 + assert_no_match /[<>]/, article.tags.last.name
  852 + end
  853 +
  854 + should 'strip HTML from tag names after save article' do
  855 + article = fast_create(Article, :slug => 'article-with-tags', :profile_id => profile.id)
  856 + article.tags << Tag.new(:name => "TV Web w<script type=...")
  857 + assert_match /</, article.tags.last.name
  858 + article.save!
  859 + assert_no_match /</, article.tags.last.name
  860 + end
  861 +
845 end 862 end