[Fix #592] Convert html_safe to sanitize

2017-07-12 18:17:53 +02:00 · 2017-07-12 18:17:53 +02:00 · 4ae9d8ef0d
commit 4ae9d8ef0d
parent da7af28f9f
12 changed files with 17 additions and 15 deletions
--- a/app/decorators/champ_decorator.rb
+++ b/app/decorators/champ_decorator.rb
@ -14,6 +14,6 @@ class ChampDecorator < Draper::Decorator
  end

  def description_with_links
-    description.gsub(URI.regexp, '<a target="_blank" href="\0">\0</a>').html_safe if description
+    description.gsub(URI.regexp, '<a target="_blank" href="\0">\0</a>') if description
  end
 end
--- a/app/views/admin/pieces_justificatives/show.js.erb
+++ b/app/views/admin/pieces_justificatives/show.js.erb
@ -1,4 +1,4 @@
 <% flash.each do |type, message| %>
-$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000)
+$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
 <%  end %>
 $('#piece_justificative_form').html("<%= escape_javascript(render partial: 'form', locals: { procedure: @procedure } ) %>");
--- a/app/views/admin/procedures/show.html.haml
+++ b/app/views/admin/procedures/show.html.haml
@ -60,7 +60,7 @@
        %h4.text-info
          = @facade.procedure.libelle

-        = h @facade.procedure.description.html_safe
+        = h sanitize(@facade.procedure.description)

      .champs.col-xs-6.col-md-3
        %h4.text-info
--- a/app/views/admin/procedures/transfer.js.erb
+++ b/app/views/admin/procedures/transfer.js.erb
@ -2,7 +2,7 @@
  transfer_errors_message(true);
 <%- else %>
  $("#main-container").prepend("<div class='row'><div id='flash_message'></div></div>");
-  $("#flash_message").prepend("<div class=\"alert alert-success\"> <%= flash.notice.html_safe %></div>");
+  $("#flash_message").prepend("<div class=\"alert alert-success\"> <%= sanitize(flash.notice) %></div>");
  <% flash.clear %>

  transfer_errors_message(false);
--- a/app/views/admin/types_de_champ/show.js.erb
+++ b/app/views/admin/types_de_champ/show.js.erb
@ -1,5 +1,5 @@
 <% flash.each do |type, message| %>
-$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000)
+$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
 <%  end %>
 $('#liste-champ').html("<%= escape_javascript(render partial: 'admin/types_de_champ/form', locals: { procedure: @procedure, types_de_champ: @types_de_champ } ) %>");
 on_change_type_de_champ_select ();
--- a/app/views/backoffice/dossiers/formulaire_private.js.erb
+++ b/app/views/backoffice/dossiers/formulaire_private.js.erb
@ -1,4 +1,4 @@
 <% flash.each do |type, message| %>
-$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= message.html_safe %></div>").children().fadeOut(5000)
+$("#flash_message").html("<div class=\"alert alert-success move-up\" style=\"display: block:\"> <%= sanitize(message) %></div>").children().fadeOut(5000)
 <%  end %>
 <% flash.clear %>
--- a/app/views/dossiers/etapes/_etape1.html.haml
+++ b/app/views/dossiers/etapes/_etape1.html.haml
@ -16,7 +16,7 @@
        = @facade.procedure.libelle

      %p#description_procedure{ style: 'width: 95%;', class: (@facade.entreprise.nil? ? '' : 'mask') }
-        = h @facade.procedure.description.html_safe
+        = h sanitize(@facade.procedure.description)

        - unless @facade.procedure.lien_site_web.blank?
          .center
--- a/app/views/gestionnaire_mailer/last_week_overview.html.haml
+++ b/app/views/gestionnaire_mailer/last_week_overview.html.haml
@ -23,9 +23,10 @@
              dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_construction.count}</span> depuis plus de 7 jours
              - if procedure_overview.old_dossiers_en_construction.count < 6
                \:
-                = procedure_overview.old_dossiers_en_construction.map do |old_dossier|
+                - old_dossiers_en_construction = procedure_overview.old_dossiers_en_construction.map do |old_dossier|
                  - link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;'
-                - end.join(', ').html_safe
+                - end.join(', ')
+                = sanitize(old_dossiers_en_construction, attributes: %w(href style))

      - if procedure_overview.dossiers_en_instruction_count > 0
        %tr
@ -36,9 +37,10 @@
              dont <span style='font-weight: bold; color: #FF5D60; padding: 2px 0;' >#{procedure_overview.old_dossiers_en_instruction.count}</span> depuis plus de 7 jours
              - if procedure_overview.old_dossiers_en_instruction.count < 6
                \:
-                = procedure_overview.old_dossiers_en_instruction.map do |old_dossier|
+                - old_dossiers_en_instruction = procedure_overview.old_dossiers_en_instruction.map do |old_dossier|
                  - link_to "nº #{old_dossier.id}", backoffice_dossier_url(old_dossier), style: 'color: #4393F3;'
-                - end.join(', ').html_safe
+                - end.join(', ')
+                = sanitize(old_dossiers_en_instruction, attributes: %w(href style))

  - if index != (@args[:procedure_overviews].count - 1)
    .spacer{ style: 'border-bottom: 1px solid #CCC; margin: 25px 0 30px;' }
--- a/app/views/users/description/champs/_render_list_champs.html.haml
+++ b/app/views/users/description/champs/_render_list_champs.html.haml
@ -60,4 +60,4 @@

          - unless champ.description.empty?
            %div{ id: "description_champs_#{champ.id}", class: ('help-block' unless champ.type_champ == 'engagement') }
-              = champ.description_with_links
+              = sanitize(champ.description_with_links, attributes: %w(href target))
--- a/app/views/users/sessions/_resume_procedure.html.haml
+++ b/app/views/users/sessions/_resume_procedure.html.haml
@ -13,7 +13,7 @@
      %h2#titre-procedure.text-info
        = @dossier.procedure.libelle
      %p.procedure-description
-        = h @dossier.procedure.description.html_safe
+        = h sanitize(@dossier.procedure.description)

 - else
  #logo_procedure.flag
--- a/app/views/users/sessions/new.html.haml
+++ b/app/views/users/sessions/new.html.haml
@ -20,7 +20,7 @@
        %h2.procedure-title
          = @dossier.procedure.libelle
        %p.procedure-description
-          = h @dossier.procedure.description.html_safe
+          = h sanitize(@dossier.procedure.description)

    .column.auth-form
      = form_for @user, url: user_session_path, html: { class: "form" } do |f|
--- a/app/views/users/siret/_pro.html.haml
+++ b/app/views/users/siret/_pro.html.haml
@ -6,7 +6,7 @@
    = @procedure.libelle

  %p
-    = @procedure.description.html_safe
+    = sanitize(@procedure.description)

  %br
  = form_tag(url_for({ controller: :dossiers, action: :create }), class: 'form-inline', method: 'POST') do |f|