sanitize attributes of a new content entry (protection)
did
committed Feb 20, 2015
commit 360e4a93196db4f3c6e51102289f141155952bd5
Showing 4
changed files with
25 additions
and 3 deletions
Gemfile.lock
+8
-0
| @@ | @@ -21,6 +21,7 @@ PATH |
| rack-cache (~> 1.2) | |
| rack-rewrite (~> 1.5.1) | |
| rack_csrf (~> 2.5.0) | |
| + | sanitize (~> 3.1.0) |
| sprockets (~> 2.12.3) | |
| sprockets-sass (~> 1.3.1) | |
| stringex (~> 2.5.2) | |
| @@ | @@ -83,6 +84,7 @@ GEM |
| simplecov (~> 0.9.1) | |
| term-ansicolor (~> 1.3) | |
| thor (~> 0.19.1) | |
| + | crass (1.0.1) |
| daemons (1.1.9) | |
| debugger-linecache (1.2.0) | |
| diff-lcs (1.2.5) | |
| @@ | @@ -133,6 +135,8 @@ GEM |
| netrc (0.10.2) | |
| nokogiri (1.6.6.2) | |
| mini_portile (~> 0.6.0) | |
| + | nokogumbo (1.2.0) |
| + | nokogiri |
| pry (0.10.1) | |
| coderay (~> 1.1.0) | |
| method_source (~> 0.8.1) | |
| @@ | @@ -175,6 +179,10 @@ GEM |
| rspec-mocks (3.1.3) | |
| rspec-support (~> 3.1.0) | |
| rspec-support (3.1.2) | |
| + | sanitize (3.1.1) |
| + | crass (~> 1.0.1) |
| + | nokogiri (>= 1.4.4) |
| + | nokogumbo (= 1.2.0) |
| sass (3.4.12) | |
| simplecov (0.9.1) | |
| docile (~> 1.1.0) | |
locomotive/steam/middlewares/entry_submission.rb b/lib/locomotive/steam/middlewares/entry_submission.rb
+5
-3
| @@ | @@ -120,9 +120,7 @@ module Locomotive::Steam |
| # | |
| # | |
| def create_entry(slug) | |
| - | attributes = HashConverter.to_sym(params[:entry] || params[:content] || {}) |
| - | |
| - | if entry = services.entry_submission.submit(slug, attributes) |
| + | if entry = services.entry_submission.submit(slug, entry_attributes) |
| entry | |
| else | |
| raise %{Unknown content type "#{slug}"} | |
| @@ | @@ -150,6 +148,10 @@ module Locomotive::Steam |
| render_response(json, status, 'application/json') | |
| end | |
| + | def entry_attributes |
| + | HashConverter.to_sym(params[:entry] || params[:content] || {}) |
| + | end |
| + | |
| end | |
| end | |
locomotive/steam/services/entry_submission.rb b/lib/locomotive/steam/services/entry_submission.rb
+11
-0
| @@ | @@ -1,3 +1,5 @@ |
| + | require 'sanitize' |
| + | |
| module Locomotive | |
| module Steam | |
| module Services | |
| @@ | @@ -11,6 +13,8 @@ module Locomotive |
| return nil if type.nil? | |
| + | clean_attributes(attributes) |
| + | |
| build_entry(type, attributes) do |entry| | |
| if validate(entry) | |
| repository.persist(entry) | |
| @@ | @@ -74,6 +78,13 @@ module Locomotive |
| entry.errors.empty? | |
| end | |
| + | def clean_attributes(attributes) |
| + | attributes.each do |key, value| |
| + | next unless value.is_a?(String) |
| + | attributes[key] = Sanitize.clean(value, Sanitize::Config::BASIC) |
| + | end |
| + | end |
| + | |
| end | |
| end | |
locomotivecms_steam.gemspec
+1
-0
| @@ | @@ -21,6 +21,7 @@ Gem::Specification.new do |spec| |
| spec.add_dependency 'activesupport', '~> 4.2.0' | |
| spec.add_dependency 'stringex', '~> 2.5.2' | |
| + | spec.add_dependency 'sanitize', '~> 3.1.0' |
| spec.add_dependency 'morphine', '~> 0.1.1' | |
| spec.add_dependency 'httparty', '~> 0.13.3' | |
| spec.add_dependency 'chronic', '~> 0.10.2' | |