Sanitize address inputs (#7576)

decidim · Mar 10, 2021 · a693b42 · a693b42
1 parent f077003
commit a693b42
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 25 deletions.
diff --git a/decidim-core/app/cells/decidim/address/details.erb b/decidim-core/app/cells/decidim/address/details.erb
@@ -1,7 +1,7 @@
-<% if model.respond_to? :location %>
-  <strong><%= translated_attribute model.location %></strong><br>
+<% if has_location? %>
+  <strong><%= location %></strong><br>
 <% end %>
-<span><%= model.address %></span><br>
-<% if model.respond_to? :location_hints %>
-  <span><%= translated_attribute model.location_hints %></span>
+<span><%= address %></span><br>
+<% if has_location_hints? %>
+  <span><%= location_hints %></span>
 <% end %>
diff --git a/decidim-core/app/cells/decidim/address_cell.rb b/decidim-core/app/cells/decidim/address_cell.rb
@@ -5,11 +5,32 @@ module Decidim
   class AddressCell < Decidim::ViewModel
     include Cell::ViewModel::Partial
     include LayoutHelper
+    include Decidim::SanitizeHelper
 
     def details
       render
     end
 
+    def has_location?
+      model.respond_to?(:location)
+    end
+
+    def has_location_hints?
+      model.respond_to?(:location_hints)
+    end
+
+    def location_hints
+      decidim_sanitize(translated_attribute(model.location_hints))
+    end
+
+    def location
+      decidim_sanitize(translated_attribute(model.location))
+    end
+
+    def address
+      decidim_sanitize(translated_attribute(model.address))
+    end
+
     private
 
     def resource_icon

diff --git a/decidim-core/spec/cells/decidim/address_cell_spec.rb b/decidim-core/spec/cells/decidim/address_cell_spec.rb
@@ -6,33 +6,30 @@
   subject { my_cell.call }
 
   let(:my_cell) { cell("decidim/address", model) }
-  let(:address) { "Carrer de Pepe Rubianes, 1" }
+  let(:address_text) { "Foo bar Street, 1" }
+  let(:js_alert) { "<script>alert(1)</script>" }
+  let(:address) { "#{address_text}#{js_alert}" }
   let(:latitude) { 41.378481 }
   let(:longitude) { 2.1879618 }
   let(:model) { create(:dummy_resource, address: address, latitude: latitude, longitude: longitude) }
+  let(:hint_text) { "Lorem ipsum dolor sit amet consectetur" }
+  let(:location_hints) { "#{hint_text}#{js_alert}" }
+  let(:location_text) { "This is my location" }
+  let(:location) { "#{location_text}#{js_alert}" }
 
   let(:icondata_address) { subject.find(".card__icondata--address") }
 
-  context "when rendering a model with address" do
-    it "renders a resource address" do
-      expect(icondata_address).to have_content(model.address)
-      expect(icondata_address).to have_no_content(model.latitude)
-      expect(icondata_address).to have_no_content(model.longitude)
-    end
+  before do
+    allow(model).to receive(:location_hints).and_return location_hints
+    allow(model).to receive(:location).and_return location
   end
 
-  context "when rendering a model with location hints" do
-    let(:location_hints) { "Lorem ipsum dolor sit amet consectetur" }
-
-    before do
-      allow(model).to receive(:location_hints).and_return location_hints
-    end
-
-    it "renders a resource location_hints" do
-      expect(icondata_address).to have_content(model.address)
-      expect(icondata_address).to have_content(model.location_hints)
-      expect(icondata_address).to have_no_content(model.latitude)
-      expect(icondata_address).to have_no_content(model.longitude)
-    end
+  it "renders a resource address and related fields" do
+    expect(icondata_address).to have_content(address_text)
+    expect(icondata_address).to have_content(hint_text)
+    expect(icondata_address).to have_content(location_text)
+    expect(icondata_address.to_s).not_to match("<script>")
+    expect(icondata_address).to have_no_content(model.latitude)
+    expect(icondata_address).to have_no_content(model.longitude)
   end
 end