Fix proposal etiquette and length validator with base64 images (#9639)

* Fix proposal etiquette and length validator with base64 images * Use strip_tags instead of nokogiri not to include hidden content Content e.g. in `<script>` tags should be automatically hidden, so this should not be included in the validation either. * Fix the expected base64 mime types
decidim · Oct 28, 2022 · e4f4721 · e4f4721
1 parent 540e5d8
commit e4f4721
Show file tree

Hide file tree

Showing 4 changed files with 79 additions and 5 deletions.
diff --git a/decidim-core/app/validators/etiquette_validator.rb b/decidim-core/app/validators/etiquette_validator.rb
@@ -3,12 +3,16 @@
 # This validator takes care of ensuring the validated content is
 # respectful, doesn't use caps, and overall is meaningful.
 class EtiquetteValidator < ActiveModel::EachValidator
+  include ActionView::Helpers::SanitizeHelper
+
   def validate_each(record, attribute, value)
     return if value.blank?
 
-    validate_caps(record, attribute, value)
-    validate_marks(record, attribute, value)
-    validate_caps_first(record, attribute, value)
+    text_value = strip_tags(value)
+
+    validate_caps(record, attribute, text_value)
+    validate_marks(record, attribute, text_value)
+    validate_caps_first(record, attribute, text_value)
   end
 
   private

diff --git a/decidim-core/spec/validators/etiquette_validator_spec.rb b/decidim-core/spec/validators/etiquette_validator_spec.rb
@@ -81,4 +81,19 @@ def self.model_name
       it { is_expected.to be_valid }
     end
   end
+
+  context "when the text is written in HTML" do
+    let(:body) do
+      data = File.read(Decidim::Dev.asset("avatar.jpg"))
+      encoded = Base64.encode64(data)
+
+      <<~HTML
+        <p>Text before the image.</p>
+        <p><img src="data:image/jpeg;base64,#{encoded.strip}"></p>
+        <p>Some other text after the image.</p>
+      HTML
+    end
+
+    it { is_expected.to be_valid }
+  end
 end
diff --git a/decidim-proposals/app/validators/proposal_length_validator.rb b/decidim-proposals/app/validators/proposal_length_validator.rb
@@ -5,11 +5,14 @@
 # allows the minimum and maximum values to be lambdas allowing us to fetch the
 # maximum length dynamically for each proposals component.
 class ProposalLengthValidator < ActiveModel::EachValidator
+  include ActionView::Helpers::SanitizeHelper
+
   def validate_each(record, attribute, value)
     return if value.blank?
 
-    validate_min_length(record, attribute, value)
-    validate_max_length(record, attribute, value)
+    text_value = strip_tags(value)
+    validate_min_length(record, attribute, text_value)
+    validate_max_length(record, attribute, text_value)
   end
 
   private

diff --git a/decidim-proposals/spec/validators/proposal_length_validator_spec.rb b/decidim-proposals/spec/validators/proposal_length_validator_spec.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+describe ProposalLengthValidator do
+  subject { validatable.new(body:) }
+
+  let(:validatable) do
+    Class.new do
+      def self.model_name
+        ActiveModel::Name.new(self, nil, "Validatable")
+      end
+
+      include Decidim::AttributeObject::Model
+      include ActiveModel::Validations
+
+      attribute :body
+
+      validates :body, proposal_length: {
+        minimum: 15,
+        maximum: ->(_record) { 100 }
+      }
+    end
+  end
+
+  context "when the text is too short" do
+    let(:body) { "Lorem ipsum d" }
+
+    it { is_expected.to be_invalid }
+  end
+
+  context "when the text is too long" do
+    let(:body) { "a" * 101 }
+
+    it { is_expected.to be_invalid }
+  end
+
+  context "when the text is written in HTML" do
+    let(:body) do
+      data = File.read(Decidim::Dev.asset("avatar.jpg"))
+      encoded = Base64.encode64(data)
+
+      <<~HTML
+        <p>Text before the image.</p>
+        <p><img src="data:image/jpeg;base64,#{encoded.strip}"></p>
+        <p>Some other text after the image.</p>
+      HTML
+    end
+
+    it { is_expected.to be_valid }
+  end
+end