Topic was not sanitizing <b> and <img> tags from titles

This commit is contained in:
Robin Ward 2013-03-06 11:36:42 -05:00
parent e8eb60fe78
commit 30aae8e793
2 changed files with 14 additions and 4 deletions

View file

@ -71,7 +71,7 @@ class Topic < ActiveRecord::Base
before_validation do
if title.present?
self.title = sanitize(title)
self.title = sanitize(title, tags: [], attributes: [])
self.title.strip!
end
end

View file

@ -110,10 +110,20 @@ describe Topic do
end
context 'html in title' do
let(:topic) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
let(:topic_bold) { Fabricate(:topic, title: "topic with <b>bold</b> text in its title" ) }
let(:topic_image) { Fabricate(:topic, title: "topic with <img src='something'> image in its title" ) }
let(:topic_script) { Fabricate(:topic, title: "<script>alert('title')</script> is my topic title" ) }
it "should escape the HTML" do
topic.title.should == "is my topic title"
it "escapes script contents" do
topic_script.title.should == "is my topic title"
end
it "escapes bold contents" do
topic_bold.title.should == "topic with bold text in its title"
end
it "escapes bold contents" do
topic_image.title.should == "topic with image in its title"
end
end