From 2e03f77e4da37aded67030f1752d553dd2d879fc Mon Sep 17 00:00:00 2001
From: Simon Lehericey <simon.lehericey@gmail.com>
Date: Wed, 12 Jul 2017 13:47:49 +0200
Subject: [PATCH 1/2] InfoDossier: avoid xss injection

---
 app/views/dossiers/_infos_dossier.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/dossiers/_infos_dossier.html.haml b/app/views/dossiers/_infos_dossier.html.haml
index f607632e6..4d286fec4 100644
--- a/app/views/dossiers/_infos_dossier.html.haml
+++ b/app/views/dossiers/_infos_dossier.html.haml
@@ -52,7 +52,7 @@
                   - elsif champ.decorate.value == 'false'
                     Non
                 - else
-                  = champ.decorate.value.html_safe
+                  = sanitize(champ.decorate.value)
 
     - if @facade.dossier.mandataire_social && gestionnaire_signed_in?
       .mandataire_social.text-success.center

From 35affd69fc8d11d14031afa061a4d268290b007d Mon Sep 17 00:00:00 2001
From: Simon Lehericey <simon.lehericey@gmail.com>
Date: Wed, 12 Jul 2017 13:53:25 +0200
Subject: [PATCH 2/2] Commentaires: avoid xss injection

---
 app/views/dossiers/commentaires/_commentaire.html.haml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/dossiers/commentaires/_commentaire.html.haml b/app/views/dossiers/commentaires/_commentaire.html.haml
index b5c928460..7a94c0db6 100644
--- a/app/views/dossiers/commentaires/_commentaire.html.haml
+++ b/app/views/dossiers/commentaires/_commentaire.html.haml
@@ -2,7 +2,7 @@
   .comment-header
     = commentaire.header
   .content
-    = commentaire.body.html_safe
+    = sanitize(commentaire.body)
   - if file = commentaire.piece_justificative
     .file
       = link_to file.content_url, class: 'link', target: '_blank' do