mirror of
https://github.com/discourse/discourse.git
synced 2024-12-12 12:53:40 +08:00
df3eb93973
* DEV: Sanitize HTML admin inputs
This PR adds on-save HTML sanitization for:
Client site settings
translation overrides
badges descriptions
user fields descriptions
I used Rails's SafeListSanitizer, which [accepts the following HTML tags and attributes](018cf54073/lib/rails/html/sanitizer.rb (L108)
)
* Make sure that the sanitization logic doesn't corrupt settings with special characters
53 lines
1.5 KiB
Ruby
53 lines
1.5 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class UserField < ActiveRecord::Base
|
|
|
|
include AnonCacheInvalidator
|
|
include HasSanitizableFields
|
|
|
|
validates_presence_of :description, :field_type
|
|
validates_presence_of :name, unless: -> { field_type == "confirm" }
|
|
has_many :user_field_options, dependent: :destroy
|
|
has_one :directory_column, dependent: :destroy
|
|
accepts_nested_attributes_for :user_field_options
|
|
|
|
before_save :sanitize_description
|
|
after_save :queue_index_search
|
|
|
|
def self.max_length
|
|
2048
|
|
end
|
|
|
|
def queue_index_search
|
|
SearchIndexer.queue_users_reindex(UserCustomField.where(name: "user_field_#{self.id}").pluck(:user_id))
|
|
end
|
|
|
|
private
|
|
|
|
def sanitize_description
|
|
if description_changed?
|
|
self.description = sanitize_field(self.description)
|
|
end
|
|
end
|
|
end
|
|
|
|
# == Schema Information
|
|
#
|
|
# Table name: user_fields
|
|
#
|
|
# id :integer not null, primary key
|
|
# name :string not null
|
|
# field_type :string not null
|
|
# created_at :datetime not null
|
|
# updated_at :datetime not null
|
|
# editable :boolean default(FALSE), not null
|
|
# description :string not null
|
|
# required :boolean default(TRUE), not null
|
|
# show_on_profile :boolean default(FALSE), not null
|
|
# position :integer default(0)
|
|
# show_on_user_card :boolean default(FALSE), not null
|
|
# external_name :string
|
|
# external_type :string
|
|
# searchable :boolean default(FALSE), not null
|
|
#
|