noosfero | 2 new commits pushed to repository

Victor Costa gitlab at gitlab.com
Thu Jan 29 12:14:45 BRST 2015 

Victor Costa pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>

Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/23b9a86393b7806070dc36c45d2fe79b96b26eaa">23b9a863</a> by Victor Costa
Sanitize HTML in event name

- - - - -
<a href="https://gitlab.com/noosfero/noosfero/commit/fa7cddb0f79d4bb6d7750ed6fd41bb63446a6012">fa7cddb0</a> by Victor Costa
Sanitize HTML in folder name

- - - - -


Changes:

=====================================
app/models/event.rb
=====================================
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -19,7 +19,7 @@ class Event < Article
     maybe_add_http(self.setting[:link])
   end
 
-  xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation'
+  xss_terminate :only => [ :name, :body, :link, :address ], :with => 'white_list', :on => 'validation'
 
   def initialize(*args)
     super(*args)

=====================================
app/models/folder.rb
=====================================
--- a/app/models/folder.rb
+++ b/app/models/folder.rb
@@ -12,7 +12,7 @@ class Folder < Article
 
   acts_as_having_settings :field => :setting
 
-  xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation'
+  xss_terminate :only => [ :name, :body ], :with => 'white_list', :on => 'validation'
 
   include WhiteListFilter
   filter_iframes :body

=====================================
test/unit/event_test.rb
=====================================
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -155,6 +155,14 @@ class EventTest < ActiveSupport::TestCase
     assert_no_tag_in_string e.body, :tag => 'script'
   end
 
+  should 'filter HTML in name' do
+    profile = create_user('testuser').person
+    e = create(Event, :profile => profile, :name => '<p>a paragraph (valid)</p><script type="text/javascript">/* this is invalid */</script>"', :link => 'www.colivre.coop.br', :start_date => Date.today)
+
+    assert_tag_in_string e.name, :tag => 'p', :content => 'a paragraph (valid)'
+    assert_no_tag_in_string e.name, :tag => 'script'
+  end
+
   should 'nil to link' do
     e = Event.new
     assert_nothing_raised TypeError do

=====================================
test/unit/folder_test.rb
=====================================
--- a/test/unit/folder_test.rb
+++ b/test/unit/folder_test.rb
@@ -100,6 +100,14 @@ class FolderTest < ActiveSupport::TestCase
     assert_includes folder.images(true), community.articles.find_by_name('rails.png')
   end
 
+  should 'not let pass javascript in the name' do
+    folder = Folder.new
+    folder.name = "<script> alert(Xss!); </script>"
+    folder.valid?
+
+    assert_no_match /(<script>)/, folder.name
+  end
+
   should 'not let pass javascript in the body' do
     folder = Folder.new
     folder.body = "<script> alert(Xss!); </script>"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150129/9c419c97/attachment.html>

More information about the Noosfero-dev mailing list