diff options
Diffstat (limited to 'perllib')
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin.pm | 6 | ||||
| -rw-r--r-- | perllib/FixMyStreet/App/Controller/Admin/Bodies.pm | 1 | ||||
| -rw-r--r-- | perllib/FixMyStreet/Template.pm | 17 | ||||
| -rw-r--r-- | perllib/Open311/PopulateServiceList.pm | 8 |
4 files changed, 29 insertions, 3 deletions
diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index 64cc9eaaf..c1afccdfd 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -557,7 +557,8 @@ sub update_extra_fields : Private { if ($behaviour eq 'question') { $meta->{required} = $c->get_param("metadata[$i].required") ? 'true' : 'false'; $meta->{variable} = 'true'; - $meta->{description} = $c->get_param("metadata[$i].description"); + my $desc = $c->get_param("metadata[$i].description"); + $meta->{description} = FixMyStreet::Template::sanitize($desc); $meta->{datatype} = $c->get_param("metadata[$i].datatype"); if ( $meta->{datatype} eq "singlevaluelist" ) { @@ -579,7 +580,8 @@ sub update_extra_fields : Private { } } elsif ($behaviour eq 'notice') { $meta->{variable} = 'false'; - $meta->{description} = $c->get_param("metadata[$i].description"); + my $desc = $c->get_param("metadata[$i].description"); + $meta->{description} = FixMyStreet::Template::sanitize($desc); $meta->{disable_form} = $c->get_param("metadata[$i].disable_form") ? 'true' : 'false'; } elsif ($behaviour eq 'hidden') { $meta->{automated} = 'hidden_field'; diff --git a/perllib/FixMyStreet/App/Controller/Admin/Bodies.pm b/perllib/FixMyStreet/App/Controller/Admin/Bodies.pm index ea03b146f..3b7739966 100644 --- a/perllib/FixMyStreet/App/Controller/Admin/Bodies.pm +++ b/perllib/FixMyStreet/App/Controller/Admin/Bodies.pm @@ -286,6 +286,7 @@ sub update_contact : Private { # Special form disabling form if ($c->get_param('disable')) { my $msg = $c->get_param('disable_message'); + $msg = FixMyStreet::Template::sanitize($msg); $errors{category} = _('Please enter a message') unless $msg; my $meta = { code => '_fms_disable_', diff --git a/perllib/FixMyStreet/Template.pm b/perllib/FixMyStreet/Template.pm index 84faeb562..afab83e41 100644 --- a/perllib/FixMyStreet/Template.pm +++ b/perllib/FixMyStreet/Template.pm @@ -6,6 +6,7 @@ use warnings; use FixMyStreet; use mySociety::Locale; use Attribute::Handlers; +use HTML::Scrubber; use FixMyStreet::Template::SafeString; use FixMyStreet::Template::Context; use FixMyStreet::Template::Stash; @@ -135,4 +136,20 @@ sub html_paragraph : Filter('html_para') { return FixMyStreet::Template::SafeString->new($text); } +sub sanitize { + my $text = shift; + + my %allowed_tags = map { $_ => 1 } qw( p ul ol li br b i strong em ); + my $scrubber = HTML::Scrubber->new( + rules => [ + %allowed_tags, + a => { href => qr{^(http|/|tel)}i, style => 1, target => qr/^_blank$/, title => 1 }, + font => { color => 1 }, + span => { style => 1 }, + ] + ); + $text = $scrubber->scrub($text); + return $text; +} + 1; diff --git a/perllib/Open311/PopulateServiceList.pm b/perllib/Open311/PopulateServiceList.pm index 7c4337b1a..3e987b7dd 100644 --- a/perllib/Open311/PopulateServiceList.pm +++ b/perllib/Open311/PopulateServiceList.pm @@ -246,7 +246,13 @@ sub _add_meta_to_contact { # turn the data into something a bit more friendly to use @meta = # remove trailing colon as we add this when we display so we don't want 2 - map { $_->{description} =~ s/:\s*$// if $_->{description}; $_ } + map { + if ($_->{description}) { + $_->{description} =~ s/:\s*$//; + $_->{description} = FixMyStreet::Template::sanitize($_->{description}); + } + $_ + } # there is a display order and we only want to sort once sort { ($a->{order} || 0) <=> ($b->{order} || 0) } @meta; |