From 55f7ac2004f53ebc48efb90c45f64563a7cd660d Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Mon, 22 Dec 2014 10:55:30 +0000
Subject: Sanitize the contents of HTML attachments before display

---
 app/controllers/request_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/controllers/request_controller.rb')

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index d66c28275..3f41be594 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -744,6 +744,10 @@ class RequestController < ApplicationController
         # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
         response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name]) || 'application/octet-stream'
 
+        if response.content_type == 'text/html'
+            @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body)
+        end
+
         render :text => @attachment.body
     end
 
-- 
cgit v1.2.3