From cc94a76567589fe8f97239aa430295bc3ea79da2 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 1 Aug 2019 20:13:38 -0300
Subject: [PATCH] no permitir html en description ni title

---
 app/lib/core_extensions/string/strip_tags.rb | 12 ++++++++++++
 app/models/site.rb                           |  9 +++++++++
 config/initializers/core_extensions.rb       |  3 +++
 doc/crear_sitios.md                          |  6 +++---
 test/models/site_test.rb                     |  9 +++++++++
 5 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 app/lib/core_extensions/string/strip_tags.rb
 create mode 100644 config/initializers/core_extensions.rb

diff --git a/app/lib/core_extensions/string/strip_tags.rb b/app/lib/core_extensions/string/strip_tags.rb
new file mode 100644
index 00000000..76e35f8b
--- /dev/null
+++ b/app/lib/core_extensions/string/strip_tags.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module CoreExtensions
+  module String
+    # Elimina el HTML
+    module StripTags
+      def strip_tags
+        ActionController::Base.helpers.strip_tags(self)
+      end
+    end
+  end
+end
diff --git a/app/models/site.rb b/app/models/site.rb
index 6c537e0b..354e376a 100644
--- a/app/models/site.rb
+++ b/app/models/site.rb
@@ -41,6 +41,15 @@ class Site < ApplicationRecord
 
   accepts_nested_attributes_for :deploys, allow_destroy: true
 
+  # No permitir HTML en estos atributos
+  def title=(title)
+    super(title.strip_tags)
+  end
+
+  def description=(description)
+    super(description.strip_tags)
+  end
+
   # El repositorio git para este sitio
   def repository
     @repository ||= Site::Repository.new path
diff --git a/config/initializers/core_extensions.rb b/config/initializers/core_extensions.rb
new file mode 100644
index 00000000..2207fe85
--- /dev/null
+++ b/config/initializers/core_extensions.rb
@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+String.include CoreExtensions::String::StripTags
diff --git a/doc/crear_sitios.md b/doc/crear_sitios.md
index a70173c4..7f6bd8af 100644
--- a/doc/crear_sitios.md
+++ b/doc/crear_sitios.md
@@ -218,7 +218,7 @@ tengamos tiempo de hacerlo realmente.
 
 * ver las estadisticas de compilación en lugar del log (el log también)
 * comitear en git los articulos (igual no es de esta rama...)
-* sanitizar titulo y descripcion, tambien escapar
-* al crear el sitio incorporar politica de privacidad y codigo de
-  convivencia
 * link a visitar sitio
+* editor de opciones
+* forkear gemas
+* que les usuaries elijan su propio idioma
diff --git a/test/models/site_test.rb b/test/models/site_test.rb
index b74daaf2..438ef820 100644
--- a/test/models/site_test.rb
+++ b/test/models/site_test.rb
@@ -76,4 +76,13 @@ class SiteTest < ActiveSupport::TestCase
     assert File.directory?(@site.path)
     assert_not File.directory?(path)
   end
+
+  test 'no se puede guardar html en title y description' do
+    site = build :site
+    site.description = "<a href='hola'>hola</a><script>alert('pwned')</script>"
+    site.title = "<a href='hola'>hola</a><script>alert('pwned')</script>"
+
+    assert_equal 'hola', site.description
+    assert_equal 'hola', site.title
+  end
 end