From d505cda949bb73dca925533cfa4487d980fa3428 Mon Sep 17 00:00:00 2001
From: Bertocq <bertocq@gmail.com>
Date: Mon, 15 Jan 2018 20:37:39 +0100
Subject: [PATCH] Add description sanitization to Budget::Phase with model
 specs

---
 app/models/budget/phase.rb       | 7 +++++++
 spec/models/budget/phase_spec.rb | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/app/models/budget/phase.rb b/app/models/budget/phase.rb
index a51d82076..7e59ff6ac 100644
--- a/app/models/budget/phase.rb
+++ b/app/models/budget/phase.rb
@@ -14,6 +14,9 @@ class Budget
     validates :description, length: { maximum: DESCRIPTION_MAX_LENGTH }
     validate :dates_range_valid?
 
+    before_validation :sanitize_description
+
+
     scope :enabled,           -> { where(enabled: true) }
     scope :drafting,          -> { find_by_kind('drafting') }
     scope :accepting,         -> { find_by_kind('accepting')}
@@ -39,5 +42,9 @@ class Budget
       end
     end
 
+
+    def sanitize_description
+      self.description = WYSIWYGSanitizer.new.sanitize(description)
+    end
   end
 end
diff --git a/spec/models/budget/phase_spec.rb b/spec/models/budget/phase_spec.rb
index 90d1a01b6..d904dc8c7 100644
--- a/spec/models/budget/phase_spec.rb
+++ b/spec/models/budget/phase_spec.rb
@@ -77,4 +77,12 @@ describe Budget::Phase do
       end
     end
   end
+
+  describe "#sanitize_description" do
+    it "removes html entities from the description" do
+      expect{
+        first_phase.update_attributes(description: "<a>a</p> <javascript>javascript</javascript>")
+      }.to change{ first_phase.description }.to('a javascript')
+    end
+  end
 end