amelioration(sanitize): assainie aussi les balises <img>

2022-12-01 17:36:53 +01:00 · 2022-12-01 17:36:53 +01:00 · 235da8b04a
commit 235da8b04a
parent 13e5d6bb0d
2 changed files with 6 additions and 1 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -41,7 +41,7 @@ module TPS
    config.assets.precompile += ['.woff']

    default_allowed_tags = ActionView::Base.sanitized_allowed_tags
-    config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
+    config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']

    # ActionDispatch's IP spoofing detection is quite limited, and often rejects
    # legitimate requests from misconfigured proxies (such as mobile telcos).
--- a/spec/components/dossiers/message_component_spec.rb
+++ b/spec/components/dossiers/message_component_spec.rb
@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do

  it { is_expected.to have_button("Répondre") }

+  context 'escape <img> tag' do
+    before { commentaire.update(body: '<img src="demarches-simplifiees.fr" />Hello') }
+    it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
+  end
+
  context 'with a seen_at after commentaire created_at' do
    let(:seen_at) { commentaire.created_at + 1.hour  }