Sanitize valuation explanations

If we don't sanitize them, valuators might attempt Cross-Site Scripting attacks.
2019-10-02 18:18:26 +02:00
parent 8b73cfc019
commit 2ffbae890e
2 changed files with 11 additions and 1 deletions
--- a/app/helpers/valuation_helper.rb
+++ b/app/helpers/valuation_helper.rb
@@ -14,7 +14,7 @@ module ValuationHelper
  end

  def explanation_field(field)
-    simple_format_no_tags_no_sanitize(safe_html_with_links(field.html_safe)) if field.present?
+    simple_format_no_tags_no_sanitize(text_with_links(field)) if field.present?
  end

 end
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -50,4 +50,14 @@ describe "Cross-Site Scripting protection", :js do

    expect(page.text).not_to be_empty
  end
+
+  scenario "valuation explanations" do
+    investment = create(:budget_investment, price_explanation: attack_code)
+    valuator = create(:valuator, investments: [investment])
+
+    login_as(valuator.user)
+    visit valuation_budget_budget_investment_path(investment.budget, investment)
+
+    expect(page.text).not_to be_empty
+  end
 end