mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 10:26:17 +08:00
df3eb93973
* DEV: Sanitize HTML admin inputs
This PR adds on-save HTML sanitization for:
Client site settings
translation overrides
badges descriptions
user fields descriptions
I used Rails's SafeListSanitizer, which [accepts the following HTML tags and attributes](018cf54073/lib/rails/html/sanitizer.rb (L108)
)
* Make sure that the sanitization logic doesn't corrupt settings with special characters
24 lines
771 B
Ruby
24 lines
771 B
Ruby
# frozen_string_literal: true
|
|
|
|
module HasSanitizableFields
|
|
extend ActiveSupport::Concern
|
|
|
|
def sanitize_field(field, additional_attributes: [])
|
|
if field
|
|
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
|
|
|
if additional_attributes.present?
|
|
allowed_attributes = allowed_attributes.merge(additional_attributes)
|
|
end
|
|
|
|
field = CGI.unescape_html(sanitizer.sanitize(field, attributes: allowed_attributes))
|
|
# Just replace the characters that our translations use for interpolation.
|
|
# Calling CGI.unescape removes characters like '+', which will corrupt the original value.
|
|
field = field.gsub('%7B', '{').gsub('%7D', '}')
|
|
end
|
|
|
|
field
|
|
end
|
|
end
|