Merge pull request #590 from sgmap/fix_injection

Fix injection
2017-07-12 15:13:29 +02:00 · 2017-07-12 15:13:29 +02:00 · 77f5e761c4
commit 77f5e761c4
parent 7c3b9ecfa9 35affd69fc
2 changed files with 2 additions and 2 deletions
--- a/app/views/dossiers/_infos_dossier.html.haml
+++ b/app/views/dossiers/_infos_dossier.html.haml
@ -52,7 +52,7 @@
                  - elsif champ.decorate.value == 'false'
                    Non
                - else
-                  = champ.decorate.value.html_safe
+                  = sanitize(champ.decorate.value)

    - if @facade.dossier.mandataire_social && gestionnaire_signed_in?
      .mandataire_social.text-success.center
--- a/app/views/dossiers/commentaires/_commentaire.html.haml
+++ b/app/views/dossiers/commentaires/_commentaire.html.haml
@ -2,7 +2,7 @@
  .comment-header
    = commentaire.header
  .content
-    = commentaire.body.html_safe
+    = sanitize(commentaire.body)
  - if file = commentaire.piece_justificative
    .file
      = link_to file.content_url, class: 'link', target: '_blank' do