consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent Cross-site scripting

Browse Source
This commit is contained in:
taitus
2021-01-19 13:43:27 +01:00
parent d56396acb7
commit 5d2474466d
2 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/sdg/related_list_selector.js
View File

@@ -12,7 +12,7 @@
amsify_suggestags.getTag = function(value) { amsify_suggestags.getTag = function(value) {
if (this.getItem(value) !== undefined) { if (this.getItem(value) !== undefined) {
return this.getItem(value).display_text; return $("<div>" + this.getItem(value).display_text + "</div>").text();
} else { } else {
return value; return value;
} }

10
spec/system/xss_spec.rb
View File

@@ -76,6 +76,16 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
end end
scenario "SDG identifier", :admin do
Setting["feature.sdg"] = true
Setting["sdg.process.proposals"] = true
I18nContent.create!(key: "sdg.related_list_selector.goal_identifier", value: attack_code)
visit sdg_management_edit_proposal_path(create(:proposal, sdg_goals: [SDG::Goal[1]]))
expect(page.text).not_to be_empty
end
scenario "proposal actions in dashboard" do scenario "proposal actions in dashboard" do
proposal = create(:proposal) proposal = create(:proposal)