amelioration(sanitize): assainie aussi les balises <img>
This commit is contained in:
parent
13e5d6bb0d
commit
235da8b04a
2 changed files with 6 additions and 1 deletions
|
@ -41,7 +41,7 @@ module TPS
|
|||
config.assets.precompile += ['.woff']
|
||||
|
||||
default_allowed_tags = ActionView::Base.sanitized_allowed_tags
|
||||
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
|
||||
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']
|
||||
|
||||
# ActionDispatch's IP spoofing detection is quite limited, and often rejects
|
||||
# legitimate requests from misconfigured proxies (such as mobile telcos).
|
||||
|
|
|
@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do
|
|||
|
||||
it { is_expected.to have_button("Répondre") }
|
||||
|
||||
context 'escape <img> tag' do
|
||||
before { commentaire.update(body: '<img src="demarches-simplifiees.fr" />Hello') }
|
||||
it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
|
||||
end
|
||||
|
||||
context 'with a seen_at after commentaire created_at' do
|
||||
let(:seen_at) { commentaire.created_at + 1.hour }
|
||||
|
||||
|
|
Loading…
Reference in a new issue