Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ADD: Comment HTML sanitization and tests for it #7282

Merged
merged 1 commit into from
Jan 18, 2020
Merged

ADD: Comment HTML sanitization and tests for it #7282

merged 1 commit into from
Jan 18, 2020

Conversation

VladimirMikulic
Copy link
Contributor

@VladimirMikulic VladimirMikulic commented Jan 17, 2020
edited
Loading

This PR resolves 2 other PRs, they are closely related so I didn't want to separate them.

I've added HTML sanitization as explained in the comments.

   allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br...)

   # Sanitize the HTML (remove malicious attributes, unallowed tags...)
   sanitized_body = ActionController::Base.helpers.sanitize(body, tags: allowed_tags)

   # Properly parse HTML (close incomplete tags...)
   Nokogiri::HTML::DocumentFragment.parse(sanitized_body).to_html

There is no need to specify allowed attributes because .sanitize automatically strips malicious attributes.

Unit tests:

  • "sanitizing comment body for XSS"
  • "should close incomplete tags"

Demo

Resolves #3630 & #3553

@VladimirMikulic VladimirMikulic requested a review from a team as a code owner January 17, 2020 18:39
@codecov
Copy link

codecov bot commented Jan 17, 2020
edited
Loading

Codecov Report

Merging #7282 into master will increase coverage by 0.04%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7282      +/-   ##
==========================================
+ Coverage   81.56%   81.61%   +0.04%     
==========================================
  Files          97       97              
  Lines        5599     5601       +2     
==========================================
+ Hits         4567     4571       +4     
+ Misses       1032     1030       -2
Impacted Files Coverage Δ
app/models/comment.rb 76.95% <100%> (+0.16%) ⬆️
app/controllers/users_controller.rb 81.69% <0%> (+0.35%) ⬆️
app/models/spamaway.rb 94.87% <0%> (+2.56%) ⬆️

@VladimirMikulic
ADD: Comment HTML sanitization and tests for it
5bf711c 
Unit tests:
 - "sanitizing comment body for XSS"
 - "should close incomplete tags"

Resolves #3630 #3553
@VladimirMikulic
Copy link
Contributor Author

VladimirMikulic commented Jan 17, 2020
edited
Loading

It's also nice to see that my optimization works. 9min 48secs system tests time.

@jywarren
Copy link
Member

this is really well done! Thank you, @VladimirMikulic !! 🎉

@jywarren jywarren merged commit a364357 into publiclab:master Jan 18, 2020
@SidharthBansal
Copy link
Member

SidharthBansal commented Jan 18, 2020 via email

@VladimirMikulic VladimirMikulic mentioned this pull request Jan 19, 2020
Closed
NitinBhasneria pushed a commit to NitinBhasneria/plots2 that referenced this pull request Jan 21, 2020
@VladimirMikulic
ADD: Comment HTML sanitization and tests for it (publiclab#7282)
7f766cd 
Unit tests:
 - "sanitizing comment body for XSS"
 - "should close incomplete tags"

Resolves publiclab#3630 publiclab#3553
vinitshahdeo pushed a commit to vinitshahdeo/plots2 that referenced this pull request Feb 1, 2020
@VladimirMikulic
ADD: Comment HTML sanitization and tests for it (publiclab#7282)
2fc1586 
Unit tests:
 - "sanitizing comment body for XSS"
 - "should close incomplete tags"

Resolves publiclab#3630 publiclab#3553
NitinBhasneria pushed a commit to NitinBhasneria/plots2 that referenced this pull request Feb 5, 2020
@VladimirMikulic
ADD: Comment HTML sanitization and tests for it (publiclab#7282)
e0b5b63 
Unit tests:
 - "sanitizing comment body for XSS"
 - "should close incomplete tags"

Resolves publiclab#3630 publiclab#3553
@willow19 willow19 mentioned this pull request Apr 22, 2021
Open
7 tasks
@RuthNjeri RuthNjeri mentioned this pull request Apr 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jywarren jywarren jywarren approved these changes

@SidharthBansal SidharthBansal Awaiting requested review from SidharthBansal

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@VladimirMikulic @jywarren @SidharthBansal