Commit 4f47de62 authored by Nathan Neulinger's avatar Nathan Neulinger

Stop sanitizing user 'name' when inserting into db

Add spec tests for encoding
parent 571c4f5a
...@@ -699,7 +699,7 @@ class User < ActiveRecord::Base ...@@ -699,7 +699,7 @@ class User < ActiveRecord::Base
end end
def sanitize_attrs def sanitize_attrs
%w[name username skype linkedin twitter].each do |attr| %w[username skype linkedin twitter].each do |attr|
value = public_send(attr) value = public_send(attr)
public_send("#{attr}=", Sanitize.clean(value)) if value.present? public_send("#{attr}=", Sanitize.clean(value)) if value.present?
end end
......
---
title: "Insert user name directly without encoding"
merge_request: 10085
author: Nathan Neulinger <nneul@neulinger.org>
...@@ -1159,6 +1159,18 @@ describe User, models: true do ...@@ -1159,6 +1159,18 @@ describe User, models: true do
end end
end end
describe '#sanitize_attrs' do
let(:user) { build(:user, name: 'test & user', skype: 'test&user') }
it 'encodes HTML entities in the Skype attribute' do
expect { user.sanitize_attrs }.to change { user.skype }.to('test&amp;user')
end
it 'does not encode HTML entities in the name attribute' do
expect { user.sanitize_attrs }.not_to change { user.name }
end
end
describe '#starred?' do describe '#starred?' do
it 'determines if user starred a project' do it 'determines if user starred a project' do
user = create :user user = create :user
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment