From 8f5c04b9ecd82521a1aef94e32dee994b1acde8c Mon Sep 17 00:00:00 2001
From: Louise Crow <louise.crow@gmail.com>
Date: Mon, 22 Dec 2014 10:55:30 +0000
Subject: Sanitize the contents of HTML attachments before display

---
 app/controllers/request_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/controllers/request_controller.rb')

diff --git a/app/controllers/request_controller.rb b/app/controllers/request_controller.rb
index dfa3a4834..4ff4978dc 100644
--- a/app/controllers/request_controller.rb
+++ b/app/controllers/request_controller.rb
@@ -741,6 +741,10 @@ class RequestController < ApplicationController
         # we don't use @attachment.content_type here, as we want same mime type when cached in cache_attachments above
         response.content_type = AlaveteliFileTypes.filename_to_mimetype(params[:file_name].join("/")) || 'application/octet-stream'
 
+        if response.content_type == 'text/html'
+            @attachment.body = ActionController::Base.helpers.sanitize(@attachment.body)
+        end
+
         render :text => @attachment.body
     end
 
-- 
cgit v1.2.3