consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize dashboard action before displaying it

Browse Source 
We were using `<%==`, which is the same as using `raw`.

Note ERB Lint doesn't warn us of this usage. Brakeman does warn us,
though.
This commit is contained in:
Javi Martín
2019-10-06 04:23:11 +02:00
parent a20c0f078d
commit 391f58eb90
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/views/dashboard/actions/new_request.html.erb
View File

@@ -2,7 +2,7 @@
<div class="row expanded"> <div class="row expanded">
<div class="small-12 medium-8 column"> <div class="small-12 medium-8 column">
<%== dashboard_action.description %> <%= WYSIWYGSanitizer.new.sanitize(dashboard_action.description) %>
<%= render "dashboard/form" %> <%= render "dashboard/form" %>
</div> </div>

10
spec/features/xss_spec.rb
View File

@@ -60,6 +60,16 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
end end
scenario "new request for proposal action in dashboard" do
proposal = create(:proposal)
action = create(:dashboard_action, description: attack_code)
login_as(proposal.author)
visit new_request_proposal_dashboard_action_path(proposal, action)
expect(page.text).not_to be_empty
end
scenario "poll description setting in dashboard" do scenario "poll description setting in dashboard" do
Setting["proposals.poll_description"] = attack_code Setting["proposals.poll_description"] = attack_code
proposal = create(:proposal) proposal = create(:proposal)