diff --git a/app/models/debate.rb b/app/models/debate.rb index d82cfb8ac..836e3bf34 100644 --- a/app/models/debate.rb +++ b/app/models/debate.rb @@ -35,6 +35,10 @@ class Debate < ActiveRecord::Base editable? && author == user end + def description + super.try :html_safe + end + protected def sanitize_description diff --git a/app/views/debates/_debate.html.erb b/app/views/debates/_debate.html.erb index 93d4ad209..f37f1c5bc 100644 --- a/app/views/debates/_debate.html.erb +++ b/app/views/debates/_debate.html.erb @@ -10,7 +10,7 @@

 <%= pluralize(debate.comment_threads.count, t("debates.debate.comment"), t("debates.debate.comments")) %>

-

<%= sanitize(truncate(debate.description, length: 200).html_safe) %>

+ <%= debate.description %> <%= render "shared/tags", debate: debate %> @@ -36,4 +36,4 @@ - \ No newline at end of file + diff --git a/app/views/debates/show.html.erb b/app/views/debates/show.html.erb index 76c76e71c..765ede640 100644 --- a/app/views/debates/show.html.erb +++ b/app/views/debates/show.html.erb @@ -7,7 +7,7 @@ <%= @debate.author.name %> •  <%= l @debate.created_at.to_date %>  •  <%= pluralize(@debate.comment_threads.count, t("debates.show.comment"), t("debates.show.comments")) %>

<%= @debate.title %>

-

<%= @debate.description %>

+ <%= @debate.description %>

<%= render 'shared/tags', debate: @debate %>

@@ -33,4 +33,4 @@ <%= link_to t("debates.show.edit_debate_link"), edit_debate_path(@debate), :class => 'button radius right' %> <% end %>
- \ No newline at end of file + diff --git a/spec/features/debates_spec.rb b/spec/features/debates_spec.rb index cebbda781..ebf8bc10e 100644 --- a/spec/features/debates_spec.rb +++ b/spec/features/debates_spec.rb @@ -54,21 +54,22 @@ feature 'Debates' do expect(page).to have_content I18n.l(Date.today) end - scenario 'JS injection is sanitized' do + scenario 'JS injection is prevented but safe html is respected' do author = create(:user) login_as(author) visit new_debate_path fill_in 'debate_title', with: 'A test' - fill_in 'debate_description', with: 'This is ' + fill_in 'debate_description', with: '

This is

' check 'debate_terms_of_service' click_button 'Create Debate' expect(page).to have_content 'Debate was successfully created.' expect(page).to have_content 'A test' - expect(page).to have_content 'This is alert("an attack");' + expect(page.html).to include '

This is alert("an attack");

' expect(page.html).to_not include '' + expect(page.html).to_not include '<p>This is' end scenario 'tagging using dangerous strings' do diff --git a/spec/models/debate_spec.rb b/spec/models/debate_spec.rb index f2af2cf0a..00f6217bd 100644 --- a/spec/models/debate_spec.rb +++ b/spec/models/debate_spec.rb @@ -20,15 +20,22 @@ describe Debate do expect(@debate).to_not be_valid end - it "should not be valid without a description" do - @debate.description = nil - expect(@debate).to_not be_valid - end + describe "#description" do + it "should be mandatory" do + @debate.description = nil + expect(@debate).to_not be_valid + end - it "should sanitize the description" do - @debate.description = "" - @debate.valid? - expect(@debate.description).to eq("alert('danger');") + it "should be sanitized" do + @debate.description = "" + @debate.valid? + expect(@debate.description).to eq("alert('danger');") + end + + it "should be html_safe" do + @debate.description = "" + expect(@debate.description).to be_html_safe + end end it "should sanitize the tag list" do