Sanitize CKEditor content before displaying it

It's possible to create a newsletter or a proposed action with
<script> tags by filling in the body using a textarea instead of a
CKEditor. While we trust our administrators not to do so, it's better to
completely eliminate that possibility.

app/helpers/proposals_dashboard_helper.rb

@@ -97,7 +97,7 @@ module ProposalsDashboardHelper
   end
 
   def proposed_action_description(proposed_action)
-    raw proposed_action.description.truncate(200)
+    sanitize proposed_action.description.truncate(200)
   end
 
   def proposed_action_long_description?(proposed_action)

app/views/budgets/_phases.html.erb

@@ -7,7 +7,7 @@
         -
         <%= l(phase.ends_at.to_date - 1.day, format: :long) if phase.ends_at.present? %>
       </span>
-      <p><%= safe_html_with_links(phase.summary) %></p>
+      <p><%= safe_html_with_links(WYSIWYGSanitizer.new.sanitize(phase.summary)) %></p>
     </li>
   <% end %>
 </ul>

app/views/dashboard/_proposed_action.html.erb

@@ -38,10 +38,10 @@
             <small><%= t("dashboard.recommended_actions.show_description") %></small>
           </a>
           <div id="proposed_action_description_<%= dom_id(proposed_action) %>" class="hide" data-toggler=".hide">
-            <%= proposed_action.description.html_safe %>
+            <%= WYSIWYGSanitizer.new.sanitize(proposed_action.description) %>
           </div>
         <% else %>
-          <%= proposed_action.description.html_safe %>
+          <%= WYSIWYGSanitizer.new.sanitize(proposed_action.description) %>
         <% end %>
       <% end %>
 

app/views/dashboard/mailer/new_actions_notification_rake_created.html.erb

@@ -35,7 +35,7 @@
     <ul>
       <li><%= first_proposed_action.title %></li>
       <% if first_proposed_action.description.present? %>
-        <p><%= first_proposed_action.description.html_safe %></p>
+        <p><%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %></p>
       <% end %>
     </ul>
     <br>

app/views/dashboard/mailer/new_actions_notification_rake_published.html.erb

@@ -36,7 +36,7 @@
     <ul>
       <li><%= first_proposed_action.title %></li>
       <% if first_proposed_action.description.present? %>
-        <p><%= first_proposed_action.description.html_safe %></p>
+        <p><%= WYSIWYGSanitizer.new.sanitize(first_proposed_action.description) %></p>
       <% end %>
     </ul>
     <br>

app/views/mailer/newsletter.html.erb

@@ -1,5 +1,5 @@
 <td style="padding-bottom: 20px; padding-left: 10px;">
   <p style="font-family: 'Open Sans','Helvetica Neue',arial,sans-serif;font-size: 14px;line-height: 24px;">
-    <%= safe_html_with_links @newsletter.body.html_safe %>
+    <%= safe_html_with_links WYSIWYGSanitizer.new.sanitize(@newsletter.body) %>
   </p>
 </td>

spec/features/xss_spec.rb

@@ -30,4 +30,15 @@ describe "Cross-Site Scripting protection", :js do
 
     expect(page.text).not_to be_empty
   end
+
+  scenario "proposal actions in dashboard" do
+    proposal = create(:proposal)
+
+    create(:dashboard_action, description: attack_code)
+
+    login_as(proposal.author)
+    visit recommended_actions_proposal_dashboard_path(proposal)
+
+    expect(page.text).not_to be_empty
+  end
 end