From 391f58eb90deb56953228b0907e5a55771bcb76c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Sun, 6 Oct 2019 04:23:11 +0200
Subject: [PATCH] Sanitize dashboard action before displaying it

We were using `<%==`, which is the same as using `raw`.

Note ERB Lint doesn't warn us of this usage. Brakeman does warn us,
though.
---
 app/views/dashboard/actions/new_request.html.erb |  2 +-
 spec/features/xss_spec.rb                        | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/views/dashboard/actions/new_request.html.erb b/app/views/dashboard/actions/new_request.html.erb
index 1b6fd3710..ba6486ce5 100644
--- a/app/views/dashboard/actions/new_request.html.erb
+++ b/app/views/dashboard/actions/new_request.html.erb
@@ -2,7 +2,7 @@
 
 <div class="row expanded">
   <div class="small-12 medium-8 column">
-    <%== dashboard_action.description %>
+    <%= WYSIWYGSanitizer.new.sanitize(dashboard_action.description) %>
     <%= render "dashboard/form" %>
   </div>
 
diff --git a/spec/features/xss_spec.rb b/spec/features/xss_spec.rb
index 136f0e36a..71447c976 100644
--- a/spec/features/xss_spec.rb
+++ b/spec/features/xss_spec.rb
@@ -60,6 +60,16 @@ describe "Cross-Site Scripting protection", :js do
     expect(page.text).not_to be_empty
   end
 
+  scenario "new request for proposal action in dashboard" do
+    proposal = create(:proposal)
+    action = create(:dashboard_action, description: attack_code)
+
+    login_as(proposal.author)
+    visit new_request_proposal_dashboard_action_path(proposal, action)
+
+    expect(page.text).not_to be_empty
+  end
+
   scenario "poll description setting in dashboard" do
     Setting["proposals.poll_description"] = attack_code
     proposal = create(:proposal)