From 23a27c65beeda35d938c4be9ade01bb1a25f694e Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Tue, 14 May 2024 12:25:58 +1000
Subject: [PATCH] Sanitise existing HTML in Enterprise#long_description

We will add a migration to sanitise all existing descriptions but before
we do that destructive action, it's good to test this in a read-only
fashion first.
---
 app/models/enterprise.rb       | 5 +++++
 spec/models/enterprise_spec.rb | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/app/models/enterprise.rb b/app/models/enterprise.rb
index fdad5f4814..4af0fa374e 100644
--- a/app/models/enterprise.rb
+++ b/app/models/enterprise.rb
@@ -247,6 +247,11 @@ class Enterprise < ApplicationRecord
     count(distinct: true)
   end
 
+  # Remove any unsupported HTML.
+  def long_description
+    HtmlSanitizer.sanitize(super)
+  end
+
   # Remove any unsupported HTML.
   def long_description=(html)
     super(HtmlSanitizer.sanitize(html))
diff --git a/spec/models/enterprise_spec.rb b/spec/models/enterprise_spec.rb
index b853031c23..6b1fd9059c 100644
--- a/spec/models/enterprise_spec.rb
+++ b/spec/models/enterprise_spec.rb
@@ -403,6 +403,11 @@ RSpec.describe Enterprise do
       subject.long_description = "Hello <script>alert</script> dearest <b>monster</b>."
       expect(subject.long_description).to eq "Hello alert dearest <b>monster</b>."
     end
+
+    it "sanitises existing HTML in long_description" do
+      subject[:long_description] = "Hello <script>alert</script> dearest <b>monster</b>."
+      expect(subject.long_description).to eq "Hello alert dearest <b>monster</b>."
+    end
   end
 
   describe "callbacks" do