From 8d2778944572162be6eef8811c17be28a2cb374f Mon Sep 17 00:00:00 2001 From: Brice Sanchez Date: Thu, 3 Mar 2016 23:38:53 -0500 Subject: [PATCH] Sanitize content in section and title presenters --- pages/app/presenters/refinery/pages/section_presenter.rb | 5 +++++ .../app/presenters/refinery/pages/title_section_presenter.rb | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb index 4f344f9f68..d81df13c53 100644 --- a/pages/app/presenters/refinery/pages/section_presenter.rb +++ b/pages/app/presenters/refinery/pages/section_presenter.rb @@ -11,6 +11,7 @@ module Pages # Sections may be hidden, in which case they wont display at all. class SectionPresenter include ActionView::Helpers::TagHelper + include ActionView::Helpers::SanitizeHelper def initialize(initial_hash = {}) initial_hash.map do |key, value| @@ -62,6 +63,10 @@ def html_from_fallback(can_use_fallback) attr_writer :id, :fallback_html, :hidden def wrap_content_in_tag(content) + content = sanitize(content, + tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS, + attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES + ) content_tag(:section, content_tag(:div, content, :class => 'inner'), :id => id) end end diff --git a/pages/app/presenters/refinery/pages/title_section_presenter.rb b/pages/app/presenters/refinery/pages/title_section_presenter.rb index 3afe25413a..610e999c4a 100644 --- a/pages/app/presenters/refinery/pages/title_section_presenter.rb +++ b/pages/app/presenters/refinery/pages/title_section_presenter.rb @@ -7,7 +7,7 @@ class TitleSectionPresenter < SectionPresenter private def wrap_content_in_tag(content) - content_tag(:h1, content, :id => id) + content_tag(:h1, sanitize(content), :id => id) end end end