diff options
| author | Louise Crow <louise.crow@gmail.com> | 2014-12-22 10:55:30 +0000 |
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2014-12-22 17:31:09 +0000 |
| commit | 8f5c04b9ecd82521a1aef94e32dee994b1acde8c (patch) | |
| tree | 8a3d372da01a69a739352526cb607dd42cace20f | |
| parent | 090122a9fd74aba6074d5e1b52aa54d40a9985d1 (diff) | |
Sanitize the contents of HTML attachments before display
| -rw-r--r-- | app/controllers/request_controller.rb | 4 | ||||
| -rw-r--r-- | config/environment.rb | 3 |
2 files changed, 7 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb index dfa3a4834..4ff4978dc 100644 --- a/app/controllers/request_controller.rb +++ b/app/controllers/request_controller.rb @@ -741,6 +741,10 @@ class RequestController < ApplicationController # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name].join("/")) || 'application/octet-stream' + if response.content_type == 'text/html' + @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body) + end + render :text => @attachment.body end diff --git a/config/environment.rb b/config/environment.rb index 9f973feb1..75e6130fe 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -62,6 +62,9 @@ Rails::Initializer.run do |config| # Only load the plugins named here, by default all plugins in vendor/plugins are loaded # config.plugins = %W( exception_notification ssl_requirement ) + # Allow some extra tags to be whitelisted in the 'sanitize' helper method + config.action_view.sanitized_allowed_tags + # Add additional load paths for your own custom dirs # config.load_paths += %W( #{Rails.root}/extras ) |