From 9ab8910329d52abef65d58a21cc53f2cb1bc60ab Mon Sep 17 00:00:00 2001
From: kikito <kikito@gmail.com>
Date: Fri, 31 Jul 2015 15:40:32 +0200
Subject: [PATCH] Add WYSIWYGSanitizer

---
 app/services/wysiwyg_sanitizer.rb       | 10 ++++++++++
 spec/services/wysiwyg_sanitizer_spec.rb | 24 ++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 app/services/wysiwyg_sanitizer.rb
 create mode 100644 spec/services/wysiwyg_sanitizer_spec.rb

diff --git a/app/services/wysiwyg_sanitizer.rb b/app/services/wysiwyg_sanitizer.rb
new file mode 100644
index 000000000..e45c7448f
--- /dev/null
+++ b/app/services/wysiwyg_sanitizer.rb
@@ -0,0 +1,10 @@
+class WYSIWYGSanitizer
+
+  ALLOWED_TAGS = %w(p ul ol li strong em u s)
+  ALLOWED_ATTRIBUTES = []
+
+  def sanitize(html)
+    ActionController::Base.helpers.sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES)
+  end
+
+end
diff --git a/spec/services/wysiwyg_sanitizer_spec.rb b/spec/services/wysiwyg_sanitizer_spec.rb
new file mode 100644
index 000000000..17236aa03
--- /dev/null
+++ b/spec/services/wysiwyg_sanitizer_spec.rb
@@ -0,0 +1,24 @@
+require 'rails_helper'
+
+describe WYSIWYGSanitizer do
+
+  subject { described_class.new }
+
+  describe '#sanitize' do
+
+    it 'returns an html_safe string' do
+      expect(subject.sanitize('hello')).to be_html_safe
+    end
+
+    it 'allows basic html formatting' do
+      html = '<p>This is <strong>a paragraph</strong></p>'
+      expect(subject.sanitize(html)).to eq(html)
+    end
+
+    it 'filters out dangerous tags' do
+      html = '<p>This is <script>alert("dangerous");</script></p>'
+      expect(subject.sanitize(html)).to eq('<p>This is alert("dangerous");</p>')
+    end
+  end
+
+end