Use rack-utf8_sanitizer gem

This sanitises non utf-8 params before they're processed by Rails.

4 files changed, 16 insertions, 8 deletions

diff --git a/Gemfile b/Gemfile
index c50396af5..3814192e2 100644
--- a/Gemfile
+++ b/Gemfile
@@ -19,6 +19,7 @@ gem 'memcache-client'
 gem 'net-http-local', :platforms => [:ruby_18, :ruby_19]
 gem 'net-purge'
 gem 'rack'
+gem 'rack-utf8_sanitizer', :platforms => :ruby_19
 gem 'rake', '0.9.2.2'
 gem 'rails-i18n'
 gem 'recaptcha', '~> 0.3.1', :require => 'recaptcha/rails'
diff --git a/Gemfile.lock b/Gemfile.lock
index 3b2138be5..a6754b1e7 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -180,6 +180,10 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
+    rack-utf8_sanitizer (1.2.3)
+      bundler (~> 1.0)
+      rack (~> 1.0)
+      railties (= 3.2.21)
     rails (3.2.21)
       actionmailer (= 3.2.21)
       actionpack (= 3.2.21)
@@ -319,6 +323,7 @@ DEPENDENCIES
   pg
   quiet_assets
   rack
+  rack-utf8_sanitizer
   rails (= 3.2.21)
   rails-i18n
   rake (= 0.9.2.2)
diff --git a/config/application.rb b/config/application.rb
index ed4f07819..ff72df015 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -74,6 +74,10 @@ module Alaveteli
     ENV['RECAPTCHA_PUBLIC_KEY'] = ::AlaveteliConfiguration::recaptcha_public_key
     ENV['RECAPTCHA_PRIVATE_KEY'] = ::AlaveteliConfiguration::recaptcha_private_key
 
+    if RUBY_VERSION.to_f >= 1.9
+        config.middleware.insert 0, Rack::UTF8Sanitizer
+    end
+
     # Insert a bit of middleware code to prevent uneeded cookie setting.
     require "#{Rails.root}/lib/whatdotheyknow/strip_empty_sessions"
     config.middleware.insert_before ::ActionDispatch::Cookies, WhatDoTheyKnow::StripEmptySessions, :key => '_wdtk_cookie_session', :path => "/", :httponly => true
diff --git a/spec/integration/errors_spec.rb b/spec/integration/errors_spec.rb
index 4fa12fb21..b36e08b2b 100644
--- a/spec/integration/errors_spec.rb
+++ b/spec/integration/errors_spec.rb
@@ -62,14 +62,12 @@ describe "When errors occur" do
            response.body.should match(%Q(invalid value for Integer))
         end
 
-        # it 'should handle non utf-8 parameters' do
-        #     pending 'until we sanitize non utf-8 parameters for Ruby >= 1.9' do
-        #         get ('/%d3')
-        #         response.should render_template('general/exception_caught')
-        #         response.code.should == '404'
-        #         response.body.should match("Sorry, we couldn't find that page")
-        #     end
-        # end
+        it 'should handle non utf-8 parameters' do
+            get ('/%d3')
+            response.should render_template('general/exception_caught')
+            response.code.should == '404'
+            response.body.should match("Sorry, we couldn't find that page")
+        end
 
 
         it "should render a 500 for general errors using the general/exception_caught template" do