noosfero | 2 new commits pushed to repository
Victor Costa
gitlab at gitlab.com
Thu Jan 29 12:14:45 BRST 2015
Victor Costa pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>
Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/23b9a86393b7806070dc36c45d2fe79b96b26eaa">23b9a863</a> by Victor Costa
Sanitize HTML in event name
- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/fa7cddb0f79d4bb6d7750ed6fd41bb63446a6012">fa7cddb0</a> by Victor Costa
Sanitize HTML in folder name
- - - - -
Changes:
=====================================
app/models/event.rb
=====================================
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -19,7 +19,7 @@ class Event < Article
maybe_add_http(self.setting[:link])
end
- xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation'
+ xss_terminate :only => [ :name, :body, :link, :address ], :with => 'white_list', :on => 'validation'
def initialize(*args)
super(*args)
=====================================
app/models/folder.rb
=====================================
--- a/app/models/folder.rb
+++ b/app/models/folder.rb
@@ -12,7 +12,7 @@ class Folder < Article
acts_as_having_settings :field => :setting
- xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
+ xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation'
include WhiteListFilter
filter_iframes :body
=====================================
test/unit/event_test.rb
=====================================
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase
assert_no_tag_in_string e.body, :tag => 'script'
end
+ should 'filter HTML in name' do
+ profile = create_user('testuser').person
+ e = create(Event, :profile => profile, :name => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today)
+
+ assert_tag_in_string e.name, :tag => 'p', :content => 'a paragraph (valid)'
+ assert_no_tag_in_string e.name, :tag => 'script'
+ end
+
should 'nil to link' do
e = Event.new
assert_nothing_raised TypeError do
=====================================
test/unit/folder_test.rb
=====================================
--- a/test/unit/folder_test.rb
+++ b/test/unit/folder_test.rb
@@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase
assert_includes folder.images(true), community.articles.find_by_name('rails.png')
end
+ should 'not let pass javascript in the name' do
+ folder = Folder.new
+ folder.name = "<script> alert(Xss!); </script>"
+ folder.valid?
+
+ assert_no_match /(<script>)/, folder.name
+ end
+
should 'not let pass javascript in the body' do
folder = Folder.new
folder.body = "<script> alert(Xss!); </script>"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150129/9c419c97/attachment.html>
More information about the Noosfero-dev
mailing list