Download as
Browse Code »

Commit fa7cddb0f79d4bb6d7750ed6fd41bb63446a6012

Authored by Victor Costa
1 parent 23b9a863
Exists in master and in 27 other branches 1.2+SPB2, 2_split_by_role, add_fields_in_api, api_fixies, api_pagination, api_private_token, api_tasks, article_hit_count, blog_page_bug, checkbox_to_user_can_edit_page, communities_ratings, communities_ratings_moderation, community_ratings_rebase, fix_cloned_article_parent, fix_gallery_image_url, fix_javascript_categories, fix_optional_fields, fix_suggest_article, fix_user_email_validation, highlight_block_fix, notification_plugin, notification_plugin_rebase, script_to_update, split_by_role, temp_ratings, tests, tests_fixies

Sanitize HTML in folder name

Showing 2 changed files with 9 additions and 1 deletions   Show diff stats
app/models/folder.rb
  Diff comments   View file @fa7cddb
... ... @@ -12,7 +12,7 @@ class Folder < Article
12 12  
13 13 acts_as_having_settings :field => :setting
14 14  
15   - xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
  15 + xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation'
16 16  
17 17 include WhiteListFilter
18 18 filter_iframes :body
... ...
test/unit/folder_test.rb
  Diff comments   View file @fa7cddb
... ... @@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase
100 100 assert_includes folder.images(true), community.articles.find_by_name('rails.png')
101 101 end
102 102  
  103 + should 'not let pass javascript in the name' do
  104 + folder = Folder.new
  105 + folder.name = "<script> alert(Xss!); </script>"
  106 + folder.valid?
  107 +
  108 + assert_no_match /(<script>)/, folder.name
  109 + end
  110 +
103 111 should 'not let pass javascript in the body' do
104 112 folder = Folder.new
105 113 folder.body = "<script> alert(Xss!); </script>"
... ...