consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

prevents body comments to accept html a tags, sanitize them out instead as well

Browse Source
This commit is contained in:
David Gil
2015-09-10 19:05:34 +02:00
parent 31cf51f07a
commit 5ecbe01d47
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/helpers/text_with_links_helper.rb
View File

@@ -2,7 +2,7 @@ module TextWithLinksHelper
def text_with_links(text) def text_with_links(text)
return unless text return unless text
sanitized = sanitize text, tags: %w(a), attributes: %w(href) sanitized = sanitize text
Rinku.auto_link(sanitized, :all, 'target="_blank" rel="nofollow"').html_safe Rinku.auto_link(sanitized, :all, 'target="_blank" rel="nofollow"').html_safe
end end

5
spec/features/comments_spec.rb
View File

@@ -34,13 +34,14 @@ feature 'Comments' do
end end
scenario 'Sanitizes comment body for security' do scenario 'Sanitizes comment body for security' do
create :comment, commentable: debate, body: "<script>alert('hola')</script> http://madrid.es" create :comment, commentable: debate, body: "<script>alert('hola')</script> <a href=\"javascript:alert('sorpresa!')\">click me<a/> http://madrid.es"
visit debate_path(debate) visit debate_path(debate)
within first('.comment') do within first('.comment') do
expect(page).to have_content "alert('hola') http://madrid.es" expect(page).to have_content "click me http://madrid.es"
expect(page).to have_link('http://madrid.es', href: 'http://madrid.es') expect(page).to have_link('http://madrid.es', href: 'http://madrid.es')
expect(page).not_to have_link('click me')
end end
end end