fix: allow a tag in various admin text

2023-02-03 15:17:12 +01:00 · 2023-02-03 15:17:12 +01:00 · a1487e9923
commit a1487e9923
parent 4f0f221e46
7 changed files with 25 additions and 9 deletions
--- a/app/components/editable_champ/champ_label_component/champ_label_component.html.haml
+++ b/app/components/editable_champ/champ_label_component/champ_label_component.html.haml
@ -7,4 +7,4 @@
    = render EditableChamp::ChampLabelContentComponent.new champ: @champ, seen_at: @seen_at

 - if @champ.description.present?
-  .notice{ id: @champ.describedby_id }= string_to_html(@champ.description)
+  .notice{ id: @champ.describedby_id }= string_to_html(@champ.description, allow_a: true)
--- a/app/components/editable_champ/editable_champ_component/editable_champ_component.html.haml
+++ b/app/components/editable_champ/editable_champ_component/editable_champ_component.html.haml
@ -2,7 +2,7 @@
  - if @champ.block?
    %h3.header-subsection= @champ.libelle
    - if @champ.description.present?
-      %p.notice= string_to_html(@champ.description, false)
+      %p.notice= string_to_html(@champ.description, false, allow_a: true)

  - elsif has_label?(@champ)
    = render EditableChamp::ChampLabelComponent.new form: @form, champ: @champ, seen_at: @seen_at
--- a/app/components/editable_champ/explication_component/explication_component.html.haml
+++ b/app/components/editable_champ/explication_component/explication_component.html.haml
@ -1,7 +1,7 @@
 = render Dsfr::CalloutComponent.new(title: @champ.libelle, extra_class_names: ['fr-mb-2w', 'fr-callout--blue-cumulus']) do |c|
  - c.with_body do

-    = string_to_html(@champ.description)
+    = string_to_html(@champ.description, allow_a: true)

    - if @champ.collapsible_explanation_enabled? && @champ.collapsible_explanation_text.present?
      %div
--- a/app/components/editable_champ/linked_drop_down_list_component/linked_drop_down_list_component.html.haml
+++ b/app/components/editable_champ/linked_drop_down_list_component/linked_drop_down_list_component.html.haml
@ -8,7 +8,7 @@
    = @form.label :secondary_value, for: "#{@champ.input_id}-secondary" do
      - sanitize((@champ.drop_down_secondary_libelle.presence || "Valeur secondaire dépendant de la première") + (@champ.type_de_champ.mandatory? ? tag.span(' *', class: 'mandatory') : ''))
    - if @champ.drop_down_secondary_description.present?
-      .notice{ id: "#{@champ.describedby_id}-secondary" }= string_to_html(@champ.drop_down_secondary_description)
+      .notice{ id: "#{@champ.describedby_id}-secondary" }= string_to_html(@champ.drop_down_secondary_description, allow_a: true)
    = @form.select :secondary_value,
      @champ.secondary_options[@champ.primary_value],
      {},
--- a/app/helpers/string_to_html_helper.rb
+++ b/app/helpers/string_to_html_helper.rb
@ -1,8 +1,15 @@
 module StringToHtmlHelper
-  def string_to_html(str, wrapper_tag = 'p')
+  def string_to_html(str, wrapper_tag = 'p', allow_a: false)
    return nil if str.blank?
    html_formatted = simple_format(str, {}, { wrapper_tag: wrapper_tag })
    with_links = Anchored::Linker.auto_link(html_formatted, target: '_blank', rel: 'noopener')
-    sanitize(with_links, attributes: ['target', 'rel', 'href'])
+
+    tags = if allow_a
+      Rails.configuration.action_view.sanitized_allowed_tags + ['a']
+    else
+      Rails.configuration.action_view.sanitized_allowed_tags
+    end
+
+    sanitize(with_links, tags:, attributes: ['target', 'rel', 'href'])
  end
 end
--- a/app/views/shared/_procedure_description.html.haml
+++ b/app/views/shared/_procedure_description.html.haml
@ -23,5 +23,5 @@

 .procedure-description
  .procedure-description-body.read-more-enabled.read-more-collapsed
-    = h string_to_html(procedure.description)
+    = h string_to_html(procedure.description, allow_a: true)
  = button_tag "Afficher la description complète", class: 'button read-more-button'
--- a/spec/helpers/string_to_html_helper_spec.rb
+++ b/spec/helpers/string_to_html_helper_spec.rb
@ -1,6 +1,7 @@
 RSpec.describe StringToHtmlHelper, type: :helper do
  describe "#string_to_html" do
-    subject { string_to_html(description) }
+    let(:allow_a) { false }
+    subject { string_to_html(description, allow_a:) }

    context "with some simple texte" do
      let(:description) { "1er ligne \n 2ieme ligne" }
@ -11,7 +12,15 @@ RSpec.describe StringToHtmlHelper, type: :helper do
    context "with a link" do
      context "using an authorized scheme" do
        let(:description) { "Cliquez sur https://d-s.fr pour continuer." }
-        it { is_expected.to eq("<p>Cliquez sur <a href=\"https://d-s.fr\" target=\"_blank\" rel=\"noopener\">https://d-s.fr</a> pour continuer.</p>") }
+
+        context 'with a tag authorized' do
+          let(:allow_a) { true }
+          it { is_expected.to eq("<p>Cliquez sur <a href=\"https://d-s.fr\" target=\"_blank\" rel=\"noopener\">https://d-s.fr</a> pour continuer.</p>") }
+        end
+
+        context 'without a tag' do
+          it { is_expected.to eq("<p>Cliquez sur https://d-s.fr pour continuer.</p>") }
+        end
      end

      context "using a non-authorized scheme" do