Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove vulnerability xss hack #3030

Merged
merged 24 commits into from Sep 27, 2021
Merged

Remove vulnerability xss hack #3030

merged 24 commits into from Sep 27, 2021

Conversation

martaribeiro
Copy link
Contributor

Fixes # https://github.com/DigitalCurationCentre/DMPonline-Service/issues/603.

Changes proposed in this PR:
Callback was added to user and plan models. 'before_save' was added with a function sanitise a number of field before data was saved into the db

briri
briri requested changes Sep 21, 2021
View reviewed changes
Copy link
Contributor

@briri briri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this one @martaribeiro.

I think it would good to move this into the base application_record.rb file that all of the models inherit from. Something like:

class ApplicationRecord < ActiveRecord::Base

   #  other existing methods

   def sanitize_fields(*attrs)
     attrs.each do |attr| 
       self.send("#{attr.to_s}=", ActionController::Base.helpers.sanitize(self.send(attr)))
     end
   end

Then, in the models you can do something like:
before_save sanitize_fields(:title, :funder_name, :grant_number, :identifier, :description)

@briri
Copy link
Contributor

briri commented Sep 27, 2021

was out of sync with development so rebased via GitHub

@briri briri merged commit 7a97355 into DMPRoadmap:development Sep 27, 2021
@pherterich pherterich added this to Ready to Release in Current sprint Sep 29, 2021
@briri briri mentioned this pull request Sep 29, 2021
Merged
@briri briri removed this from Ready to Release in Current sprint Oct 1, 2021
@briri briri mentioned this pull request Oct 1, 2021
Merged
portagenetwork pushed a commit to portagenetwork/roadmap that referenced this pull request Feb 24, 2022
@briri
Merge pull request DMPRoadmap#3030 from DigitalCurationCentre/remove_…
27fc46d 
…vulnerability_XSS_hack

Remove vulnerability xss hack
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briri briri briri approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@martaribeiro @briri @raycarrick-ed