Merge pull request #91 from AyuntamientoMadrid/debates_description_html
debates description html
This commit is contained in:
Juanjo Bazán
@@ -35,6 +35,10 @@ class Debate < ActiveRecord::Base
|
||||
editable? && author == user
|
||||
end
|
||||
|
||||
def description
|
||||
super.try :html_safe
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
def sanitize_description
|
||||
|
||||
@@ -10,7 +10,7 @@
|
||||
<p class="debate-info">
|
||||
<i class="icon-chat-bubble-two"></i> <%= pluralize(debate.comment_threads.count, t("debates.debate.comment"), t("debates.debate.comments")) %>
|
||||
</p>
|
||||
<p><%= sanitize(truncate(debate.description, length: 200).html_safe) %></p>
|
||||
<%= debate.description %>
|
||||
<%= render "shared/tags", debate: debate %>
|
||||
</div>
|
||||
</div>
|
||||
@@ -36,4 +36,4 @@
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -7,7 +7,7 @@
|
||||
<span class="author"><%= @debate.author.name %></span><span class="bullet"> • </span> <%= l @debate.created_at.to_date %> <span class="bullet"> • </span><i class="icon-chat-bubble-two"></i> <%= pluralize(@debate.comment_threads.count, t("debates.show.comment"), t("debates.show.comments")) %>
|
||||
</div>
|
||||
<h1><%= @debate.title %></h1>
|
||||
<p><%= @debate.description %></p>
|
||||
<%= @debate.description %>
|
||||
<p><%= render 'shared/tags', debate: @debate %></p>
|
||||
</div>
|
||||
<div id="votes" class="small-12 medium-3 column votes">
|
||||
@@ -33,4 +33,4 @@
|
||||
<%= link_to t("debates.show.edit_debate_link"), edit_debate_path(@debate), :class => 'button radius right' %>
|
||||
<% end %>
|
||||
</div>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@@ -54,21 +54,22 @@ feature 'Debates' do
|
||||
expect(page).to have_content I18n.l(Date.today)
|
||||
end
|
||||
|
||||
scenario 'JS injection is sanitized' do
|
||||
scenario 'JS injection is prevented but safe html is respected' do
|
||||
author = create(:user)
|
||||
login_as(author)
|
||||
|
||||
visit new_debate_path
|
||||
fill_in 'debate_title', with: 'A test'
|
||||
fill_in 'debate_description', with: 'This is <script>alert("an attack");</script>'
|
||||
fill_in 'debate_description', with: '<p>This is <script>alert("an attack");</script></p>'
|
||||
check 'debate_terms_of_service'
|
||||
|
||||
click_button 'Create Debate'
|
||||
|
||||
expect(page).to have_content 'Debate was successfully created.'
|
||||
expect(page).to have_content 'A test'
|
||||
expect(page).to have_content 'This is alert("an attack");'
|
||||
expect(page.html).to include '<p>This is alert("an attack");</p>'
|
||||
expect(page.html).to_not include '<script>alert("an attack");</script>'
|
||||
expect(page.html).to_not include '<p>This is'
|
||||
end
|
||||
|
||||
scenario 'tagging using dangerous strings' do
|
||||
|
||||
@@ -20,15 +20,22 @@ describe Debate do
|
||||
expect(@debate).to_not be_valid
|
||||
end
|
||||
|
||||
it "should not be valid without a description" do
|
||||
@debate.description = nil
|
||||
expect(@debate).to_not be_valid
|
||||
end
|
||||
describe "#description" do
|
||||
it "should be mandatory" do
|
||||
@debate.description = nil
|
||||
expect(@debate).to_not be_valid
|
||||
end
|
||||
|
||||
it "should sanitize the description" do
|
||||
@debate.description = "<script>alert('danger');</script>"
|
||||
@debate.valid?
|
||||
expect(@debate.description).to eq("alert('danger');")
|
||||
it "should be sanitized" do
|
||||
@debate.description = "<script>alert('danger');</script>"
|
||||
@debate.valid?
|
||||
expect(@debate.description).to eq("alert('danger');")
|
||||
end
|
||||
|
||||
it "should be html_safe" do
|
||||
@debate.description = "<script>alert('danger');</script>"
|
||||
expect(@debate.description).to be_html_safe
|
||||
end
|
||||
end
|
||||
|
||||
it "should sanitize the tag list" do
|
||||
|
||||
Reference in New Issue
Block a user