Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2025-12-16 23:30:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Sanitize output well, but entity-ize < and > in notes

Browse source 
Coming from a rich message or API call, notes can contain HTML and it
will render to the browser. Coming from a normal todo creation, though,
all < and > characters will be replaced with the corresponding entities.
This preserves HTML emails, but prevents users from breaking the layout
by entering broken HTML for todo notes.

Closes #765
This commit is contained in:
Eric Allen 2010-04-07 10:06:46 -04:00
parent fdba48c769
commit 68701adaca
3 changed files with 17 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
app/helpers/application_helper.rb
View file

@ -202,11 +202,15 @@ module ApplicationHelper
end
def format_note(note)
note.gsub!(/</, '&lt;') # eliminate tags
note.gsub!(/>/, '&gt;')
note = markdown(note)
note = auto_link_message(note)
note = auto_link(note)
# add onenote and message protocols
Sanitize::Config::RELAXED[:protocols]['a']['href'] << 'onenote'
Sanitize::Config::RELAXED[:protocols]['a']['href'] << 'message'
note = Sanitize.clean(note, Sanitize::Config::RELAXED)
return note
end
end