diff --git a/app/views/legislation/annotations/index.html.erb b/app/views/legislation/annotations/index.html.erb index 83f0e9d07..ac439a823 100644 --- a/app/views/legislation/annotations/index.html.erb +++ b/app/views/legislation/annotations/index.html.erb @@ -22,7 +22,7 @@ <% end %>
- <%= annotation.context.try(:html_safe).presence || annotation.quote %> + <%= sanitize(annotation.context).presence || annotation.quote %>
<%= link_to legislation_process_draft_version_annotation_path(@process, @draft_version, annotation) do %> <%= t(".comments_count", count: annotation.comments_count) %> diff --git a/app/views/legislation/annotations/show.html.erb b/app/views/legislation/annotations/show.html.erb index 63af27f72..f8aeeb655 100644 --- a/app/views/legislation/annotations/show.html.erb +++ b/app/views/legislation/annotations/show.html.erb @@ -19,7 +19,7 @@
- <%= @annotation.context.try(:html_safe).presence || @annotation.quote %> + <%= sanitize(@annotation.context).presence || @annotation.quote %>
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb index d7b46b8d0..6a61acd55 100644 --- a/spec/features/xss_spec.rb +++ b/spec/features/xss_spec.rb @@ -41,4 +41,13 @@ describe "Cross-Site Scripting protection", :js do expect(page.text).not_to be_empty end + + scenario "annotation context" do + annotation = create(:legislation_annotation) + annotation.update_column(:context, attack_code) + + visit polymorphic_hierarchy_path(annotation) + + expect(page.text).not_to be_empty + end end