fix for Issue #2: internal Rails ActiveRecord::Base subclasses get lo…

…aded before the plugin and thus do not have xss_terminate_options set. Return early from sanitize_fields in this case git-svn-id: http://xssterminate.googlecode.com/svn/trunk/xss_terminate@7 503a6658-bc44-0410-a8bd-599819d3de0a
jasherai · Jun 2, 2008 · 974c5bf · 974c5bf
1 parent 50ab117
commit 974c5bf
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 1 deletion.
diff --git a/lib/xss_terminate.rb b/lib/xss_terminate.rb
@@ -22,8 +22,12 @@ def xss_terminate(options = {})
   end
 
   module InstanceMethods
-        
+
     def sanitize_fields
+      # fix a bug with Rails internal AR::Base models that get loaded before
+      # the plugin, like CGI::Sessions::ActiveRecordStore::Session
+      return if xss_terminate_options.nil?
+
       self.class.columns.each do |column|
         next unless (column.type == :string || column.type == :text)
 

diff --git a/test/schema.rb b/test/schema.rb
@@ -31,4 +31,10 @@
     t.column :person_id, :integer
     t.column :created_on, :datetime
   end
+
+  create_table :sessions, :force => true do |t|
+    t.string :session_id, :null => false
+    t.text :data
+    t.timestamps
+  end
 end
diff --git a/test/xss_terminate_test.rb b/test/xss_terminate_test.rb
@@ -55,5 +55,13 @@ def test_nil_attributes_should_be_allowed_with_html5
     assert_nil review.title
     assert_nil review.body
   end
+
+  # issue reported by Garrett Dimon and jmcnevin
+  def test_active_record_session_store_does_not_cause_nil_exception
+    assert_nil CGI::Session::ActiveRecordStore::Session.xss_terminate_options
+
+    session = CGI::Session::ActiveRecordStore::Session.new(:session_id => 'foo', :data => 'blah')
+    assert session.save
+  end
 
 end