From 2ffbae890e30dd4d4fe24c91998abb95d6d81819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Wed, 2 Oct 2019 18:18:26 +0200
Subject: [PATCH] Sanitize valuation explanations

If we don't sanitize them, valuators might attempt Cross-Site Scripting
attacks.
---
 app/helpers/valuation_helper.rb |  2 +-
 spec/features/xss_spec.rb       | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/helpers/valuation_helper.rb b/app/helpers/valuation_helper.rb
index 8767ebb96..39018b61e 100644
--- a/app/helpers/valuation_helper.rb
+++ b/app/helpers/valuation_helper.rb
@@ -14,7 +14,7 @@ module ValuationHelper
   end
 
   def explanation_field(field)
-    simple_format_no_tags_no_sanitize(safe_html_with_links(field.html_safe)) if field.present?
+    simple_format_no_tags_no_sanitize(text_with_links(field)) if field.present?
   end
 
 end
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index 6a61acd55..7f3d81ab1 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -50,4 +50,14 @@ describe "Cross-Site Scripting protection", :js do
 
     expect(page.text).not_to be_empty
   end
+
+  scenario "valuation explanations" do
+    investment = create(:budget_investment, price_explanation: attack_code)
+    valuator = create(:valuator, investments: [investment])
+
+    login_as(valuator.user)
+    visit valuation_budget_budget_investment_path(investment.budget, investment)
+
+    expect(page.text).not_to be_empty
+  end
 end