From 8f6a8ed106bd9fc8e74627bd6a0a330683c9188e Mon Sep 17 00:00:00 2001
From: Brice Sanchez <contact@brice-sanchez.com>
Date: Thu, 3 Mar 2016 23:38:53 -0500
Subject: [PATCH] Sanitize content in section and title presenters

---
 pages/app/presenters/refinery/pages/section_presenter.rb     | 5 +++++
 .../app/presenters/refinery/pages/title_section_presenter.rb | 1 +
 2 files changed, 6 insertions(+)

diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb
index 4f344f9f68..d81df13c53 100644
--- a/pages/app/presenters/refinery/pages/section_presenter.rb
+++ b/pages/app/presenters/refinery/pages/section_presenter.rb
@@ -11,6 +11,7 @@ module Pages
     # Sections may be hidden, in which case they wont display at all.
     class SectionPresenter
       include ActionView::Helpers::TagHelper
+      include ActionView::Helpers::SanitizeHelper
 
       def initialize(initial_hash = {})
         initial_hash.map do |key, value|
@@ -62,6 +63,10 @@ def html_from_fallback(can_use_fallback)
       attr_writer :id, :fallback_html, :hidden
 
       def wrap_content_in_tag(content)
+        content = sanitize(content,
+          tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS,
+          attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
+        )
         content_tag(:section, content_tag(:div, content, :class => 'inner'), :id => id)
       end
     end
diff --git a/pages/app/presenters/refinery/pages/title_section_presenter.rb b/pages/app/presenters/refinery/pages/title_section_presenter.rb
index 3afe25413a..18b0df6a96 100644
--- a/pages/app/presenters/refinery/pages/title_section_presenter.rb
+++ b/pages/app/presenters/refinery/pages/title_section_presenter.rb
@@ -7,6 +7,7 @@ class TitleSectionPresenter < SectionPresenter
     private
 
       def wrap_content_in_tag(content)
+        content = sanitize(content)
         content_tag(:h1, content, :id => id)
       end
     end