no permitir html en las strings

This commit is contained in:
f 2020-07-02 11:26:00 -03:00
parent 036387dbe0
commit d1df64e44c
6 changed files with 23 additions and 4 deletions

View file

@ -46,6 +46,7 @@ gem 'devise-i18n'
gem 'devise_invitable' gem 'devise_invitable'
gem 'email_address' gem 'email_address'
gem 'exception_notification' gem 'exception_notification'
gem 'fast_blank'
gem 'friendly_id' gem 'friendly_id'
gem 'hamlit-rails' gem 'hamlit-rails'
gem 'hiredis' gem 'hiredis'

View file

@ -170,6 +170,7 @@ GEM
factory_bot_rails (5.2.0) factory_bot_rails (5.2.0)
factory_bot (~> 5.2.0) factory_bot (~> 5.2.0)
railties (>= 4.2.0) railties (>= 4.2.0)
fast_blank (1.0.0)
ffi (1.13.1) ffi (1.13.1)
flamegraph (0.9.5) flamegraph (0.9.5)
forwardable-extended (2.6.0) forwardable-extended (2.6.0)
@ -525,6 +526,7 @@ DEPENDENCIES
email_address email_address
exception_notification exception_notification
factory_bot_rails factory_bot_rails
fast_blank
flamegraph flamegraph
friendly_id friendly_id
haml-lint haml-lint

View file

@ -20,7 +20,7 @@ class MetadataBelongsTo < MetadataRelatedPosts
def validate def validate
super super
errors << I18n.t('metadata.belongs_to.missing_post') unless !value.blank? && posts.find(sanitize(value), uuid: true) errors << I18n.t('metadata.belongs_to.missing_post') unless post_exists?
errors.empty? errors.empty?
end end
@ -30,4 +30,8 @@ class MetadataBelongsTo < MetadataRelatedPosts
def sanitize(uuid) def sanitize(uuid)
uuid.gsub(/[^a-f0-9\-]/, '') uuid.gsub(/[^a-f0-9\-]/, '')
end end
def post_exists?
!value.blank? && posts.find(sanitize(value), uuid: true)
end
end end

View file

@ -9,8 +9,8 @@ class MetadataMarkdownContent < MetadataContent
end end
# XXX: No sanitizamos acá porque se escapan varios símbolos de # XXX: No sanitizamos acá porque se escapan varios símbolos de
# markdown y se eliminan autolinks. Mejor es habilitar la generación # markdown y se eliminan autolinks. Mejor es deshabilitar la
# SAFE de CommonMark en la configuración del sitio. # generación SAFE de CommonMark en la configuración del sitio.
def sanitize(string) def sanitize(string)
string string
end end

View file

@ -6,4 +6,16 @@ class MetadataString < MetadataTemplate
def default_value def default_value
'' ''
end end
private
# No se permite HTML en las strings
def sanitize(string)
return '' if string.blank?
sanitizer.sanitize(string.strip,
tags: [],
attributes: [],
scrubber: scrubber).strip.html_safe
end
end end

View file

@ -39,7 +39,7 @@ MetadataTemplate = Struct.new(:site, :document, :name, :label, :type,
def validate def validate
self.errors = [] self.errors = []
errors << I18n.t("metadata.cant_be_empty") unless can_be_empty? errors << I18n.t('metadata.cant_be_empty') unless can_be_empty?
errors.empty? errors.empty?
end end