no permitir html en las strings
This commit is contained in:
parent
036387dbe0
commit
d1df64e44c
6 changed files with 23 additions and 4 deletions
1
Gemfile
1
Gemfile
|
@ -46,6 +46,7 @@ gem 'devise-i18n'
|
|||
gem 'devise_invitable'
|
||||
gem 'email_address'
|
||||
gem 'exception_notification'
|
||||
gem 'fast_blank'
|
||||
gem 'friendly_id'
|
||||
gem 'hamlit-rails'
|
||||
gem 'hiredis'
|
||||
|
|
|
@ -170,6 +170,7 @@ GEM
|
|||
factory_bot_rails (5.2.0)
|
||||
factory_bot (~> 5.2.0)
|
||||
railties (>= 4.2.0)
|
||||
fast_blank (1.0.0)
|
||||
ffi (1.13.1)
|
||||
flamegraph (0.9.5)
|
||||
forwardable-extended (2.6.0)
|
||||
|
@ -525,6 +526,7 @@ DEPENDENCIES
|
|||
email_address
|
||||
exception_notification
|
||||
factory_bot_rails
|
||||
fast_blank
|
||||
flamegraph
|
||||
friendly_id
|
||||
haml-lint
|
||||
|
|
|
@ -20,7 +20,7 @@ class MetadataBelongsTo < MetadataRelatedPosts
|
|||
def validate
|
||||
super
|
||||
|
||||
errors << I18n.t('metadata.belongs_to.missing_post') unless !value.blank? && posts.find(sanitize(value), uuid: true)
|
||||
errors << I18n.t('metadata.belongs_to.missing_post') unless post_exists?
|
||||
|
||||
errors.empty?
|
||||
end
|
||||
|
@ -30,4 +30,8 @@ class MetadataBelongsTo < MetadataRelatedPosts
|
|||
def sanitize(uuid)
|
||||
uuid.gsub(/[^a-f0-9\-]/, '')
|
||||
end
|
||||
|
||||
def post_exists?
|
||||
!value.blank? && posts.find(sanitize(value), uuid: true)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -9,8 +9,8 @@ class MetadataMarkdownContent < MetadataContent
|
|||
end
|
||||
|
||||
# XXX: No sanitizamos acá porque se escapan varios símbolos de
|
||||
# markdown y se eliminan autolinks. Mejor es habilitar la generación
|
||||
# SAFE de CommonMark en la configuración del sitio.
|
||||
# markdown y se eliminan autolinks. Mejor es deshabilitar la
|
||||
# generación SAFE de CommonMark en la configuración del sitio.
|
||||
def sanitize(string)
|
||||
string
|
||||
end
|
||||
|
|
|
@ -6,4 +6,16 @@ class MetadataString < MetadataTemplate
|
|||
def default_value
|
||||
''
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
# No se permite HTML en las strings
|
||||
def sanitize(string)
|
||||
return '' if string.blank?
|
||||
|
||||
sanitizer.sanitize(string.strip,
|
||||
tags: [],
|
||||
attributes: [],
|
||||
scrubber: scrubber).strip.html_safe
|
||||
end
|
||||
end
|
||||
|
|
|
@ -39,7 +39,7 @@ MetadataTemplate = Struct.new(:site, :document, :name, :label, :type,
|
|||
def validate
|
||||
self.errors = []
|
||||
|
||||
errors << I18n.t("metadata.cant_be_empty") unless can_be_empty?
|
||||
errors << I18n.t('metadata.cant_be_empty') unless can_be_empty?
|
||||
|
||||
errors.empty?
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue