consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sanitize label texts automatically

Browse Source 
This way we can remove all those `html_safe` calls and we avoid
potential XSS attacks in label texts.
This commit is contained in:
Javi Martín
2019-10-05 16:42:43 +02:00
parent 2586229e38
commit 75a28fafcb
9 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/views/budgets/investments/_form.html.erb
View File

@@ -93,7 +93,8 @@
title: t("form.accept_terms_title"), title: t("form.accept_terms_title"),
label: t("form.accept_terms", label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"), policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank")).html_safe %> conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
) %>
</div> </div>
<% end %> <% end %>

2
app/views/debates/_form.html.erb
View File

@@ -39,7 +39,7 @@
label: t("form.accept_terms", label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"), policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank") conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
).html_safe %> ) %>
<% end %> <% end %>
</div> </div>

2
app/views/legislation/proposals/_form.html.erb
View File

@@ -65,7 +65,7 @@
label: t("form.accept_terms", label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"), policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank") conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
).html_safe %> ) %>
<% end %> <% end %>
</div> </div>

2
app/views/organizations/registrations/new.html.erb
View File

@@ -34,7 +34,7 @@
"/conditions", "/conditions",
title: t("shared.target_blank"), title: t("shared.target_blank"),
target: "_blank") target: "_blank")
).html_safe %> ) %>
<div class="small-12 medium-6 small-centered"> <div class="small-12 medium-6 small-centered">
<%= f.submit t("devise_views.organizations.registrations.new.submit"), class: "button expanded" %> <%= f.submit t("devise_views.organizations.registrations.new.submit"), class: "button expanded" %>

2
app/views/proposals/_form.html.erb
View File

@@ -100,7 +100,7 @@
label: t("form.accept_terms", label: t("form.accept_terms",
policy: link_to(t("form.policy"), "/privacy", target: "blank"), policy: link_to(t("form.policy"), "/privacy", target: "blank"),
conditions: link_to(t("form.conditions"), "/conditions", target: "blank") conditions: link_to(t("form.conditions"), "/conditions", target: "blank")
).html_safe %> ) %>
<% end %> <% end %>
</div> </div>

2
app/views/users/registrations/new.html.erb
View File

@@ -42,7 +42,7 @@
terms: link_to(t("devise_views.users.registrations.new.terms_link"), "/conditions", terms: link_to(t("devise_views.users.registrations.new.terms_link"), "/conditions",
title: t("shared.target_blank"), title: t("shared.target_blank"),
target: "_blank") target: "_blank")
).html_safe %> ) %>
<div class="small-12 medium-6 small-centered"> <div class="small-12 medium-6 small-centered">
<%= f.submit t("devise_views.users.registrations.new.submit"), class: "button expanded" %> <%= f.submit t("devise_views.users.registrations.new.submit"), class: "button expanded" %>

2
app/views/verification/residence/new.html.erb
View File

@@ -80,7 +80,7 @@
terms_url: link_to(t("verification.residence.new.terms"), "/census_terms", terms_url: link_to(t("verification.residence.new.terms"), "/census_terms",
title: t("shared.target_blank"), title: t("shared.target_blank"),
target: "_blank") target: "_blank")
).html_safe %> ) %>
</div> </div>
<div class="small-12 medium-3 clear"> <div class="small-12 medium-3 clear">

10
lib/consul_form_builder.rb
View File

@@ -1,4 +1,6 @@
class ConsulFormBuilder < FoundationRailsHelper::FormBuilder class ConsulFormBuilder < FoundationRailsHelper::FormBuilder
include ActionView::Helpers::SanitizeHelper
def enum_select(attribute, options = {}, html_options = {}) def enum_select(attribute, options = {}, html_options = {})
choices = object.class.send(attribute.to_s.pluralize).keys.map do |name| choices = object.class.send(attribute.to_s.pluralize).keys.map do |name|
[object.class.human_attribute_name("#{attribute}.#{name}"), name] [object.class.human_attribute_name("#{attribute}.#{name}"), name]
@@ -35,6 +37,14 @@ class ConsulFormBuilder < FoundationRailsHelper::FormBuilder
private private
def custom_label(attribute, text, options)
if text == false
super
else
super(attribute, sanitize(label_text(object, attribute, text)), options)
end
end
def label_with_hint(attribute, options) def label_with_hint(attribute, options)
custom_label(attribute, options[:label], options[:label_options]) + custom_label(attribute, options[:label], options[:label_options]) +
help_text(attribute, options) help_text(attribute, options)

9
spec/features/xss_spec.rb
View File

@@ -31,6 +31,15 @@ describe "Cross-Site Scripting protection", :js do
expect(page.text).not_to be_empty expect(page.text).not_to be_empty
end end
scenario "accept terms label" do
I18nContent.create(key: "form.accept_terms", value: attack_code)
login_as(create(:user))
visit new_debate_path
expect(page.text).not_to be_empty
end
scenario "proposal actions in dashboard" do scenario "proposal actions in dashboard" do
proposal = create(:proposal) proposal = create(:proposal)