From a7dc243db9871cc9791fea40b8f85e492fe585df Mon Sep 17 00:00:00 2001
From: Ana Nunes da Silva <ananunesdasilva@gmail.com>
Date: Fri, 24 May 2024 12:50:57 +0100
Subject: [PATCH] Sanitize product description using rails default sanitizer

---
 app/models/spree/product.rb       | 10 ++++++++++
 spec/models/spree/product_spec.rb | 12 ++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/app/models/spree/product.rb b/app/models/spree/product.rb
index d760c329ec..e51f23ac7c 100755
--- a/app/models/spree/product.rb
+++ b/app/models/spree/product.rb
@@ -304,6 +304,16 @@ module Spree
       )
     end
 
+    # Remove any unsupported HTML.
+    def description
+      Rails::HTML::SafeListSanitizer.new.sanitize(super)
+    end
+
+    # # Remove any unsupported HTML.
+    def description=(html)
+      super(Rails::HTML::SafeListSanitizer.new.sanitize(html))
+    end
+
     private
 
     def update_units
diff --git a/spec/models/spree/product_spec.rb b/spec/models/spree/product_spec.rb
index 15667125c3..993b1cb833 100644
--- a/spec/models/spree/product_spec.rb
+++ b/spec/models/spree/product_spec.rb
@@ -748,6 +748,18 @@ module Spree
         expect(e.variants.reload).to be_empty
       end
     end
+
+    describe "serialisation" do
+      it "sanitises HTML in description" do
+        subject.description = "Hello <script>alert</script> dearest <b>monster</b>."
+        expect(subject.description).to eq "Hello alert dearest <b>monster</b>."
+      end
+
+      it "sanitises existing HTML in description" do
+        subject[:description] = "Hello <script>alert</script> dearest <b>monster</b>."
+        expect(subject.description).to eq "Hello alert dearest <b>monster</b>."
+      end
+    end
   end
 
   RSpec.describe "product import" do