Sanitize the contents of HTML attachments before display0.13.0.6 hotfix/0.13.0.6

author: Louise Crow <louise.crow@gmail.com> 2014-12-22 10:55:30 +0000
committer: Louise Crow <louise.crow@gmail.com> 2014-12-22 17:15:22 +0000
commit: c77b4818340ab10206ef57459e830e87c576b497 (patch)
tree: 195c0f74a9ac7bad8dccc32f5903918d581759dc /app/controllers
parent: ebf13d76efcfb60ca56e9557b0fe1e6528ee03ff (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index 45d8b7de6..f9b41f989 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -736,6 +736,10 @@ class RequestController < ApplicationController
         # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
         response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name]) || 'application/octet-stream'
 
+        if response.content_type == 'text/html'
+            @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body)
+        end
+
         render :text => @attachment.body
     end
author	Louise Crow <louise.crow@gmail.com>	2014-12-22 10:55:30 +0000
committer	Louise Crow <louise.crow@gmail.com>	2014-12-22 17:15:22 +0000
commit	c77b4818340ab10206ef57459e830e87c576b497 (patch)
tree	195c0f74a9ac7bad8dccc32f5903918d581759dc /app/controllers
parent	ebf13d76efcfb60ca56e9557b0fe1e6528ee03ff (diff)