fix xss vulnerability in projects

2024-11-29 10:24:20 +01:00 · 2022-07-27 10:28:58 +02:00 · 2022-07-27 10:28:58 +02:00 · e4fb068c12
commit e4fb068c12
parent eb83dbf798
2 changed files with 5 additions and 2 deletions
--- a/app/views/api/projects/show.json.jbuilder
+++ b/app/views/api/projects/show.json.jbuilder
@ -1,6 +1,7 @@
 # frozen_string_literal: true

-json.extract! @project, :id, :name, :description, :tags, :created_at, :updated_at, :licence_id, :slug
+json.extract! @project, :id, :name, :tags, :created_at, :updated_at, :licence_id, :slug
+json.description sanitize(@project.description)
 json.author_id @project.author.user_id
 json.project_image @project.project_image.attachment.large.url if @project.project_image
 json.project_full_image @project.project_image.attachment.url if @project.project_image
@ -56,7 +57,7 @@ json.project_users @project.project_users do |pu|
 end
 json.project_steps_attributes @project.project_steps.order('project_steps.step_nb ASC') do |s|
  json.id s.id
-  json.description s.description
+  json.description sanitize(s.description)
  json.title s.title
  json.project_step_images_attributes s.project_step_images.order('created_at ASC') do |si|
    json.id si.id
--- a/config/application.rb
+++ b/config/application.rb
@ -74,6 +74,8 @@ module Fablab

    FabManager.activate_plugins!

+    config.action_view.sanitized_allowed_tags = %w(a acronym hr pre table b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p image iframe)
+
    config.after_initialize do
      plugins = FabManager.plugins
      plugins&.each(&:notify_after_initialize)