From d1df64e44cb6548b5c7d1896dbd037fb1718e7d5 Mon Sep 17 00:00:00 2001 From: f Date: Thu, 2 Jul 2020 11:26:00 -0300 Subject: [PATCH] no permitir html en las strings --- Gemfile | 1 + Gemfile.lock | 2 ++ app/models/metadata_belongs_to.rb | 6 +++++- app/models/metadata_markdown_content.rb | 4 ++-- app/models/metadata_string.rb | 12 ++++++++++++ app/models/metadata_template.rb | 2 +- 6 files changed, 23 insertions(+), 4 deletions(-) diff --git a/Gemfile b/Gemfile index 8b6a215c..d1334627 100644 --- a/Gemfile +++ b/Gemfile @@ -46,6 +46,7 @@ gem 'devise-i18n' gem 'devise_invitable' gem 'email_address' gem 'exception_notification' +gem 'fast_blank' gem 'friendly_id' gem 'hamlit-rails' gem 'hiredis' diff --git a/Gemfile.lock b/Gemfile.lock index 2ce54845..536c439e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -170,6 +170,7 @@ GEM factory_bot_rails (5.2.0) factory_bot (~> 5.2.0) railties (>= 4.2.0) + fast_blank (1.0.0) ffi (1.13.1) flamegraph (0.9.5) forwardable-extended (2.6.0) @@ -525,6 +526,7 @@ DEPENDENCIES email_address exception_notification factory_bot_rails + fast_blank flamegraph friendly_id haml-lint diff --git a/app/models/metadata_belongs_to.rb b/app/models/metadata_belongs_to.rb index 89b4676f..941273a7 100644 --- a/app/models/metadata_belongs_to.rb +++ b/app/models/metadata_belongs_to.rb @@ -20,7 +20,7 @@ class MetadataBelongsTo < MetadataRelatedPosts def validate super - errors << I18n.t('metadata.belongs_to.missing_post') unless !value.blank? && posts.find(sanitize(value), uuid: true) + errors << I18n.t('metadata.belongs_to.missing_post') unless post_exists? errors.empty? end @@ -30,4 +30,8 @@ class MetadataBelongsTo < MetadataRelatedPosts def sanitize(uuid) uuid.gsub(/[^a-f0-9\-]/, '') end + + def post_exists? + !value.blank? && posts.find(sanitize(value), uuid: true) + end end diff --git a/app/models/metadata_markdown_content.rb b/app/models/metadata_markdown_content.rb index 890ffff5..509088db 100644 --- a/app/models/metadata_markdown_content.rb +++ b/app/models/metadata_markdown_content.rb @@ -9,8 +9,8 @@ class MetadataMarkdownContent < MetadataContent end # XXX: No sanitizamos acá porque se escapan varios símbolos de - # markdown y se eliminan autolinks. Mejor es habilitar la generación - # SAFE de CommonMark en la configuración del sitio. + # markdown y se eliminan autolinks. Mejor es deshabilitar la + # generación SAFE de CommonMark en la configuración del sitio. def sanitize(string) string end diff --git a/app/models/metadata_string.rb b/app/models/metadata_string.rb index 4cc2ff1f..d1008748 100644 --- a/app/models/metadata_string.rb +++ b/app/models/metadata_string.rb @@ -6,4 +6,16 @@ class MetadataString < MetadataTemplate def default_value '' end + + private + + # No se permite HTML en las strings + def sanitize(string) + return '' if string.blank? + + sanitizer.sanitize(string.strip, + tags: [], + attributes: [], + scrubber: scrubber).strip.html_safe + end end diff --git a/app/models/metadata_template.rb b/app/models/metadata_template.rb index fcca637f..6d490b5f 100644 --- a/app/models/metadata_template.rb +++ b/app/models/metadata_template.rb @@ -39,7 +39,7 @@ MetadataTemplate = Struct.new(:site, :document, :name, :label, :type, def validate self.errors = [] - errors << I18n.t("metadata.cant_be_empty") unless can_be_empty? + errors << I18n.t('metadata.cant_be_empty') unless can_be_empty? errors.empty? end