amelioration(sanitize): assainie aussi les balises <img>

This commit is contained in:
Martin 2022-12-01 17:36:53 +01:00 committed by mfo
parent 13e5d6bb0d
commit 235da8b04a
2 changed files with 6 additions and 1 deletions

View file

@ -41,7 +41,7 @@ module TPS
config.assets.precompile += ['.woff']
default_allowed_tags = ActionView::Base.sanitized_allowed_tags
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']
# ActionDispatch's IP spoofing detection is quite limited, and often rejects
# legitimate requests from misconfigured proxies (such as mobile telcos).

View file

@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do
it { is_expected.to have_button("Répondre") }
context 'escape <img> tag' do
before { commentaire.update(body: '<img src="demarches-simplifiees.fr" />Hello') }
it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
end
context 'with a seen_at after commentaire created_at' do
let(:seen_at) { commentaire.created_at + 1.hour }