DGNum/demarches-normaliennes
11
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Merge pull request #8185 from mfo/US/sanitize-img

Browse source 
amelioration(sanitize): assainit aussi les balises <img>
This commit is contained in:
mfo 2022-12-01 17:58:49 +01:00 committed by GitHub
commit c0668f7d0e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config/application.rb
View file

@ -41,7 +41,7 @@ module TPS
config.assets.precompile += ['.woff']
default_allowed_tags = ActionView::Base.sanitized_allowed_tags
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']
# ActionDispatch's IP spoofing detection is quite limited, and often rejects
# legitimate requests from misconfigured proxies (such as mobile telcos).

5
spec/components/dossiers/message_component_spec.rb
View file

@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do
it { is_expected.to have_button("Répondre") }
context 'escape <img> tag' do
before { commentaire.update(body: '<img src="demarches-simplifiees.fr" />Hello') }
it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
end
context 'with a seen_at after commentaire created_at' do
let(:seen_at) { commentaire.created_at + 1.hour }