Sanitize content in section and title presenters

refinery · Mar 4, 2016 · 8d27789 · 8d27789
1 parent 519b7ed
commit 8d27789
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb
@@ -11,6 +11,7 @@ module Pages
     # Sections may be hidden, in which case they wont display at all.
     class SectionPresenter
       include ActionView::Helpers::TagHelper
+      include ActionView::Helpers::SanitizeHelper
 
       def initialize(initial_hash = {})
         initial_hash.map do |key, value|
@@ -62,6 +63,10 @@ def html_from_fallback(can_use_fallback)
       attr_writer :id, :fallback_html, :hidden
 
       def wrap_content_in_tag(content)
+        content = sanitize(content,
+          tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS,
+          attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
+        )
         content_tag(:section, content_tag(:div, content, :class => 'inner'), :id => id)
       end
     end

diff --git a/pages/app/presenters/refinery/pages/title_section_presenter.rb b/pages/app/presenters/refinery/pages/title_section_presenter.rb
@@ -7,7 +7,7 @@ class TitleSectionPresenter < SectionPresenter
     private
 
       def wrap_content_in_tag(content)
-        content_tag(:h1, content, :id => id)
+        content_tag(:h1, sanitize(content), :id => id)
       end
     end
   end