DEV: Sanitize HTML admin inputs (#14681)

* DEV: Sanitize HTML admin inputs This PR adds on-save HTML sanitization for: Client site settings translation overrides badges descriptions user fields descriptions I used Rails's SafeListSanitizer, which [accepts the following HTML tags and attributes](018cf54073/lib/rails/html/sanitizer.rb (L108)) * Make sure that the sanitization logic doesn't corrupt settings with special characters
2025-02-25 18:55:32 -06:00 · 2021-10-27 11:33:07 -03:00
parent 184ccf4490
commit df3eb93973
10 changed files with 104 additions and 10 deletions
--- a/spec/models/user_field_spec.rb
+++ b/spec/models/user_field_spec.rb
@@ -12,4 +12,13 @@ describe UserField do
    subject { described_class.new(field_type: 'dropdown') }
    it { is_expected.to validate_presence_of :name }
  end
+
+  it 'sanitizes the description' do
+    xss = "<b onmouseover=alert('Wufff!')>click me!</b><script>alert('TEST');</script>"
+    user_field = Fabricate(:user_field)
+
+    user_field.update!(description: xss)
+
+    expect(user_field.description).to eq("<b>click me!</b>alert('TEST');")
+  end
 end