no permitir html en las strings

This commit is contained in:
f 2020-07-02 11:26:00 -03:00
parent 036387dbe0
commit d1df64e44c
6 changed files with 23 additions and 4 deletions

View file

@ -46,6 +46,7 @@ gem 'devise-i18n'
gem 'devise_invitable'
gem 'email_address'
gem 'exception_notification'
gem 'fast_blank'
gem 'friendly_id'
gem 'hamlit-rails'
gem 'hiredis'

View file

@ -170,6 +170,7 @@ GEM
factory_bot_rails (5.2.0)
factory_bot (~> 5.2.0)
railties (>= 4.2.0)
fast_blank (1.0.0)
ffi (1.13.1)
flamegraph (0.9.5)
forwardable-extended (2.6.0)
@ -525,6 +526,7 @@ DEPENDENCIES
email_address
exception_notification
factory_bot_rails
fast_blank
flamegraph
friendly_id
haml-lint

View file

@ -20,7 +20,7 @@ class MetadataBelongsTo < MetadataRelatedPosts
def validate
super
errors << I18n.t('metadata.belongs_to.missing_post') unless !value.blank? && posts.find(sanitize(value), uuid: true)
errors << I18n.t('metadata.belongs_to.missing_post') unless post_exists?
errors.empty?
end
@ -30,4 +30,8 @@ class MetadataBelongsTo < MetadataRelatedPosts
def sanitize(uuid)
uuid.gsub(/[^a-f0-9\-]/, '')
end
def post_exists?
!value.blank? && posts.find(sanitize(value), uuid: true)
end
end

View file

@ -9,8 +9,8 @@ class MetadataMarkdownContent < MetadataContent
end
# XXX: No sanitizamos acá porque se escapan varios símbolos de
# markdown y se eliminan autolinks. Mejor es habilitar la generación
# SAFE de CommonMark en la configuración del sitio.
# markdown y se eliminan autolinks. Mejor es deshabilitar la
# generación SAFE de CommonMark en la configuración del sitio.
def sanitize(string)
string
end

View file

@ -6,4 +6,16 @@ class MetadataString < MetadataTemplate
def default_value
''
end
private
# No se permite HTML en las strings
def sanitize(string)
return '' if string.blank?
sanitizer.sanitize(string.strip,
tags: [],
attributes: [],
scrubber: scrubber).strip.html_safe
end
end

View file

@ -39,7 +39,7 @@ MetadataTemplate = Struct.new(:site, :document, :name, :label, :type,
def validate
self.errors = []
errors << I18n.t("metadata.cant_be_empty") unless can_be_empty?
errors << I18n.t('metadata.cant_be_empty') unless can_be_empty?
errors.empty?
end