From d2c6db0d0420beb56443de61dddf5170cb5d4517 Mon Sep 17 00:00:00 2001
From: Ana Nunes da Silva <ananunesdasilva@gmail.com>
Date: Mon, 3 Jun 2024 12:10:38 +0100
Subject: [PATCH] Sanitize CustomTab#content

---
 app/models/custom_tab.rb       | 10 ++++++++++
 spec/models/custom_tab_spec.rb | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/app/models/custom_tab.rb b/app/models/custom_tab.rb
index fca7ffa4ac..d679f254d7 100644
--- a/app/models/custom_tab.rb
+++ b/app/models/custom_tab.rb
@@ -4,4 +4,14 @@ class CustomTab < ApplicationRecord
   belongs_to :enterprise
 
   validates :title, presence: true, length: { maximum: 20 }
+
+  # Remove any unsupported HTML.
+  def content
+    HtmlSanitizer.sanitize(super)
+  end
+
+  # Remove any unsupported HTML.
+  def content=(html)
+    super(HtmlSanitizer.sanitize(html))
+  end
 end
diff --git a/spec/models/custom_tab_spec.rb b/spec/models/custom_tab_spec.rb
index b35af1c71c..52fa70c38a 100644
--- a/spec/models/custom_tab_spec.rb
+++ b/spec/models/custom_tab_spec.rb
@@ -12,4 +12,16 @@ RSpec.describe CustomTab do
 
     it { is_expected.to validate_length_of(:title).is_at_most(20) }
   end
+
+  describe "serialisation" do
+    it "sanitises HTML in content" do
+      subject.content = "Hello <script>alert</script> dearest <b>monster</b>."
+      expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
+    end
+
+    it "sanitises existing HTML in content" do
+      subject[:content] = "Hello <script>alert</script> dearest <b>monster</b>."
+      expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
+    end
+  end
 end