Fixes #3138 - Article body gets updated/re-sanitized when updating other Article attribute.

2020-07-29 16:54:40 +02:00 · 2020-07-29 16:54:40 +02:00 · fe2174f0a8
parent 3376037561
commit fe2174f0a8
2 changed files with 20 additions and 0 deletions
--- a/app/models/concerns/checks_html_sanitized.rb
+++ b/app/models/concerns/checks_html_sanitized.rb
@ -12,6 +12,8 @@ module ChecksHtmlSanitized
    return true if html_attributes.blank?

    html_attributes.each do |attribute|
+      next if changes[attribute].blank?
+
      value = send(attribute)

      next if value.blank?
--- a/spec/models/ticket/article_spec.rb
+++ b/spec/models/ticket/article_spec.rb
@ -126,6 +126,24 @@ RSpec.describe Ticket::Article, type: :model do
            <a href="https://example.com" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com">foo</a>
          SANITIZED
        end
+
+        context 'when a sanitization attribute is present' do
+          # ATTENTION: We use `target` here because re-sanitization would change the order of attributes
+          let(:body) { '<a href="https://example.com" target="_blank">foo</a>' }
+
+          it 'adds sanitization attributes' do
+            expect(article.body).to eq(<<~SANITIZED.chomp)
+              <a href="https://example.com" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com">foo</a>
+            SANITIZED
+          end
+
+          context 'when changing an unrelated attribute' do
+
+            it "doesn't re-sanitizes the body" do
+              expect { article.update!(message_id: 'test') }.not_to change { article.reload.body }
+            end
+          end
+        end
      end

      context 'for all cases above, combined' do