Merge pull request #12542 from anansilva/12448-sanitise-html-custom-tab

Sanitize HTML in custom tab content [read only]
2026-01-24 20:36:49 +00:00 · 2024-06-21 08:35:26 +10:00
parent 1d55c05900 d2c6db0d04
commit 0dd7f264b9
2 changed files with 22 additions and 0 deletions
--- a/app/models/custom_tab.rb
+++ b/app/models/custom_tab.rb
@@ -4,4 +4,14 @@ class CustomTab < ApplicationRecord
  belongs_to :enterprise

  validates :title, presence: true, length: { maximum: 20 }
+
+  # Remove any unsupported HTML.
+  def content
+    HtmlSanitizer.sanitize(super)
+  end
+
+  # Remove any unsupported HTML.
+  def content=(html)
+    super(HtmlSanitizer.sanitize(html))
+  end
 end
--- a/spec/models/custom_tab_spec.rb
+++ b/spec/models/custom_tab_spec.rb
@@ -12,4 +12,16 @@ RSpec.describe CustomTab do

    it { is_expected.to validate_length_of(:title).is_at_most(20) }
  end
+
+  describe "serialisation" do
+    it "sanitises HTML in content" do
+      subject.content = "Hello <script>alert</script> dearest <b>monster</b>."
+      expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
+    end
+
+    it "sanitises existing HTML in content" do
+      subject[:content] = "Hello <script>alert</script> dearest <b>monster</b>."
+      expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
+    end
+  end
 end