Sanitize milestones and label titles

d028863e · Felipe Artur · fad7b392 · d028863e · d028863e · d028863e
Commit d028863e authored May 04, 2016 by Felipe Artur
5 changed files
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -117,6 +117,11 @@ class Label < ActiveRecord::Base
    LabelsHelper::text_color_for_bg(self.color)
  end
+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, Sanitize.clean(value))
+  end
  private
  def label_format_reference(format = :id)

--- a/app/models/milestone.rb
+++ b/app/models/milestone.rb
@@ -129,6 +129,11 @@ class Milestone < ActiveRecord::Base
    nil
  end
+  def title= value
+    value = Sanitize.clean(value.to_s) if value
+    write_attribute(:title, value)
+  end
  # Sorts the issues for the given IDs.
  #
  # This method runs a single SQL query using a CASE statement to update the

--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -43,7 +43,7 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
      milestone.update_attribute(:title, %{"></a>whatever<a title="})
      doc = reference_filter("milestone #{reference}")
-      expect(doc.text).to eq "milestone #{milestone.title}"
+      expect(doc.text).to eq "milestone \">whatever"
    end
    it 'includes default classes' do

--- a/spec/models/label_spec.rb
+++ b/spec/models/label_spec.rb
@@ -55,6 +55,14 @@ describe Label, models: true do
    end
  end
+  describe "#title" do
+    let(:label) { create(:label, title: "<b>test</b>") }
+    it "sanitizes title" do
+      expect(label.title).to eq("test")
+    end
+  end
  describe '#to_reference' do
    context 'using id' do
      it 'returns a String reference to the object' do

--- a/spec/models/milestone_spec.rb
+++ b/spec/models/milestone_spec.rb
@@ -34,6 +34,14 @@ describe Milestone, models: true do
  let(:issue) { create(:issue) }
  let(:user) { create(:user) }
+  describe "#title" do
+    let(:milestone) { create(:milestone, title: "<b>test</b>") }
+    it "sanitizes title" do
+      expect(milestone.title).to eq("test")
+    end
+  end
  describe "unique milestone title per project" do
    it "shouldn't accept the same title in a project twice" do
      new_milestone = Milestone.new(project: milestone.project, title: milestone.title)