From 10db32230795a3e233342e01ec4f927b1c1ba04a Mon Sep 17 00:00:00 2001
From: zmagod <zmago_devetak@yahoo.com>
Date: Wed, 10 May 2017 14:57:11 +0200
Subject: [PATCH] fixes input sanitize method [fixes SCI-1248]

---
 Gemfile                              |  1 +
 Gemfile.lock                         |  8 ++++++++
 app/helpers/input_sanitize_helper.rb | 18 ++++++++++--------
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/Gemfile b/Gemfile
index 9b77f0893..d545da3ae 100644
--- a/Gemfile
+++ b/Gemfile
@@ -14,6 +14,7 @@ gem 'bootstrap_form'
 gem 'yomu'
 gem 'font-awesome-rails', '~> 4.6'
 gem 'recaptcha', require: 'recaptcha/rails'
+gem 'sanitize', '~> 4.4'
 
 # JS datetime library, requirement of datetime picker
 gem 'momentjs-rails', '>= 2.9.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 080015b5c..f0a7e09df 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -103,6 +103,7 @@ GEM
     colorize (0.8.1)
     commit_param_routing (0.0.1)
     concurrent-ruby (1.0.0)
+    crass (1.0.2)
     debug_inspector (0.0.2)
     deface (1.0.2)
       colorize (>= 0.5.8)
@@ -192,6 +193,8 @@ GEM
     nokogiri (1.6.8)
       mini_portile2 (~> 2.1.0)
       pkg-config (~> 1.1.7)
+    nokogumbo (1.4.10)
+      nokogiri
     oj (2.17.4)
     orm_adapter (0.5.0)
     paperclip (4.3.2)
@@ -266,6 +269,10 @@ GEM
     ruby-graphviz (1.2.2)
     ruby-progressbar (1.8.1)
     rubyzip (1.1.7)
+    sanitize (4.4.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.4.4)
+      nokogumbo (~> 1.4.1)
     sass (3.4.23)
     sass-rails (5.0.4)
       railties (>= 4.0.0, < 5.0)
@@ -387,6 +394,7 @@ DEPENDENCIES
   rubocop
   ruby-graphviz (~> 1.2)
   rubyzip
+  sanitize (~> 4.4)
   sass-rails (~> 5.0)
   scss_lint
   sdoc (~> 0.4.0)
diff --git a/app/helpers/input_sanitize_helper.rb b/app/helpers/input_sanitize_helper.rb
index 79cd54c0d..11494d20f 100644
--- a/app/helpers/input_sanitize_helper.rb
+++ b/app/helpers/input_sanitize_helper.rb
@@ -1,13 +1,15 @@
+require 'sanitize'
+
 module InputSanitizeHelper
-  def sanitize_input(
-    text,
-    tags = [],
-    attributes = []
-  )
-    ActionController::Base.helpers.sanitize(
+  # Rails default ActionController::Base.helpers.sanitize method call
+  # the ActiveRecord connecton method on the caller object which in
+  # our cases throws an error when called from not ActiveRecord objects
+  # such SamplesDatatables
+  def sanitize_input(text, tags = [], attributes = [])
+    Sanitize.fragment(
       text,
-      tags: Constants::WHITELISTED_TAGS + tags,
-      attributes: Constants::WHITELISTED_ATTRIBUTES + attributes
+      elements: tags,
+      attributes: { all: attributes }
     )
   end