raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-02-10 23:07:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Sanitize CustomTab#content

Browse Source
This commit is contained in:
Ana Nunes da Silva
2024-06-03 12:10:38 +01:00
committed by Sigmund Petersen
parent 25d375bf8e
commit d2c6db0d04
2 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/models/custom_tab.rb
View File

@@ -4,4 +4,14 @@ class CustomTab < ApplicationRecord
belongs_to :enterprise
validates :title, presence: true, length: { maximum: 20 }
# Remove any unsupported HTML.
def content
HtmlSanitizer.sanitize(super)
end
# Remove any unsupported HTML.
def content=(html)
super(HtmlSanitizer.sanitize(html))
end
end

12
spec/models/custom_tab_spec.rb
View File

@@ -12,4 +12,16 @@ RSpec.describe CustomTab do
it { is_expected.to validate_length_of(:title).is_at_most(20) }
end
describe "serialisation" do
it "sanitises HTML in content" do
subject.content = "Hello <script>alert</script> dearest <b>monster</b>."
expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
end
it "sanitises existing HTML in content" do
subject[:content] = "Hello <script>alert</script> dearest <b>monster</b>."
expect(subject.content).to eq "Hello alert dearest <b>monster</b>."
end
end
end