Sanitize milestones and label titles

This commit is contained in:
Felipe Artur 2016-05-04 18:21:57 -03:00
parent fad7b392dc
commit d028863eda
5 changed files with 27 additions and 1 deletions

View file

@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
LabelsHelper::text_color_for_bg(self.color) LabelsHelper::text_color_for_bg(self.color)
end end
def title= value
value = Sanitize.clean(value.to_s) if value
write_attribute(:title, Sanitize.clean(value))
end
private private
def label_format_reference(format = :id) def label_format_reference(format = :id)

View file

@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
nil nil
end end
def title= value
value = Sanitize.clean(value.to_s) if value
write_attribute(:title, value)
end
# Sorts the issues for the given IDs. # Sorts the issues for the given IDs.
# #
# This method runs a single SQL query using a CASE statement to update the # This method runs a single SQL query using a CASE statement to update the

View file

@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
milestone.update_attribute(:title, %{"></a>whatever<a title="}) milestone.update_attribute(:title, %{"></a>whatever<a title="})
doc = reference_filter("milestone #{reference}") doc = reference_filter("milestone #{reference}")
expect(doc.text).to eq "milestone #{milestone.title}" expect(doc.text).to eq "milestone \">whatever"
end end
it 'includes default classes' do it 'includes default classes' do

View file

@ -55,6 +55,14 @@ describe Label, models: true do
end end
end end
describe "#title" do
let(:label) { create(:label, title: "<b>test</b>") }
it "sanitizes title" do
expect(label.title).to eq("test")
end
end
describe '#to_reference' do describe '#to_reference' do
context 'using id' do context 'using id' do
it 'returns a String reference to the object' do it 'returns a String reference to the object' do

View file

@ -34,6 +34,14 @@ describe Milestone, models: true do
let(:issue) { create(:issue) } let(:issue) { create(:issue) }
let(:user) { create(:user) } let(:user) { create(:user) }
describe "#title" do
let(:milestone) { create(:milestone, title: "<b>test</b>") }
it "sanitizes title" do
expect(milestone.title).to eq("test")
end
end
describe "unique milestone title per project" do describe "unique milestone title per project" do
it "shouldn't accept the same title in a project twice" do it "shouldn't accept the same title in a project twice" do
new_milestone = Milestone.new(project: milestone.project, title: milestone.title) new_milestone = Milestone.new(project: milestone.project, title: milestone.title)