noosfero | Always sanitize HTML in header and footer

Antonio Terceiro gitlab at gitlab.com
Wed Jan 28 16:47:49 BRST 2015 

Antonio Terceiro pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>

Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/7441ba6c92304870c6110814fd588718d6e7bde3">7441ba6c</a> by Antonio Terceiro
Always sanitize HTML in header and footer

- - - - -


Changes:

=====================================
app/models/profile.rb
=====================================
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base
   end
 
   xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
-  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
+  xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
 
   include WhiteListFilter
   filter_iframes :custom_header, :custom_footer

=====================================
test/unit/profile_test.rb
=====================================
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
     assert_equal 'environment footer', profile.custom_footer
   end
 
+  should 'sanitize custom header and footer' do
+    p = fast_create(Profile)
+    script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
+    p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
+    assert_no_tag_in_string p.custom_header, tag: 'script'
+    assert_no_tag_in_string p.custom_footer, tag: 'script'
+  end
+
   should 'store theme' do
     p = build(Profile, :theme => 'my-shiny-theme')
     assert_equal 'my-shiny-theme', p.theme
@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase
     profile.address = "<h1><</h2< Malformed >> html >< tag"
     profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
     profile.description = "<h1<a> Malformed >> html ></a>< tag"
-    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
-    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
     profile.valid?
 
     assert_no_match /[<>]/, profile.name
@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase
     assert_no_match /[<>]/, profile.custom_footer
   end
 
+  should 'escape malformed html tags in header and footer' do
+    profile = fast_create(Profile)
+    profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+    profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+    profile.save
+
+    assert_no_match /[<>]/, profile.custom_header
+    assert_no_match /[<>]/, profile.custom_footer
+  end
+
   should 'not sanitize html comments' do
     profile = Profile.new
     profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150128/5e188105/attachment.html>

More information about the Noosfero-dev mailing list