diff options
| author | Louise Crow <louise.crow@gmail.com> | 2014-12-22 10:55:30 +0000 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2014-12-22 17:21:55 +0000 |
| commit | 66a15c472dd2b09f3aa6e8933749c1bd1dca2632 (patch) | |
| tree | 6e8a25cbe5b0e6cbc88b2e0fb5f7c6639d619f51 | |
| parent | b3cfe8d72ce339f5125df87fd2772de97d224d9f (diff) | |
Sanitize the contents of HTML attachments before display0.12.0.7hotfix/0.12.0.7
| -rw-r--r-- | app/controllers/request_controller.rb | 4 | ||||
| -rw-r--r-- | config/application.rb | 3 |
2 files changed, 7 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index 42693f867..3235d4e86 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -732,6 +732,10 @@ class RequestController < ApplicationController # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name]) || 'application/octet-stream' + if response.content_type == 'text/html' + @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body) + end + render :text => @attachment.body end diff --git a/config/application.rb b/config/application.rb index 92fd30685..005d81225 100644 --- a/config/application.rb +++ b/config/application.rb @@ -35,6 +35,9 @@ module Alaveteli # JavaScript files you want as :defaults (application.js is always included). # config.action_view.javascript_expansions[:defaults] = %w(jquery rails) + # Allow some extra tags to be whitelisted in the 'sanitize' helper method + config.action_view.sanitized_allowed_tags = 'html', 'head', 'body', 'table', 'tr', 'td', 'style' + # Configure the default encoding used in templates for Ruby 1.9. config.encoding = "utf-8" |