Sanitize milestones and label titles

2016-05-04 18:21:57 -03:00 · 2016-05-04 18:21:57 -03:00 · d028863eda
commit d028863eda
parent fad7b392dc
5 changed files with 27 additions and 1 deletions
--- a/app/models/label.rb
+++ b/app/models/label.rb
@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
    LabelsHelper::text_color_for_bg(self.color)
  end

+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, Sanitize.clean(value))
+  end
+
  private

  def label_format_reference(format = :id)
--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
    nil
  end

+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, value)
+  end
+
  # Sorts the issues for the given IDs.
  #
  # This method runs a single SQL query using a CASE statement to update the
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
      milestone.update_attribute(:title, %{"></a>whatever<a title="})

      doc = reference_filter("milestone #{reference}")
-      expect(doc.text).to eq "milestone #{milestone.title}"
+      expect(doc.text).to eq "milestone \">whatever"
    end

    it 'includes default classes' do
--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@ -55,6 +55,14 @@ describe Label, models: true do
    end
  end

+  describe "#title" do
+    let(:label) { create(:label, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(label.title).to eq("test")
+    end
+  end
+
  describe '#to_reference' do
    context 'using id' do
      it 'returns a String reference to the object' do
--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@ -34,6 +34,14 @@ describe Milestone, models: true do
  let(:issue) { create(:issue) }
  let(:user) { create(:user) }

+  describe "#title" do
+    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+
+    it "sanitizes title" do
+      expect(milestone.title).to eq("test")
+    end
+  end
+
  describe "unique milestone title per project" do
    it "shouldn't accept the same title in a project twice" do
      new_milestone = Milestone.new(project: milestone.project, title: milestone.title)