Merge pull request #379 from okriuchykhin/ok_SCI_632

Fix XSS vulnerability in protocol keywords [SCI-632]
2025-12-11 22:56:41 +08:00 · 2016-12-30 15:28:05 +01:00 · 2016-12-30 15:28:05 +01:00 · 36f07b908a
commit 36f07b908a
parent 4b50c73474 d798f1b120
2 changed files with 6 additions and 2 deletions
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@ -159,6 +159,10 @@ class ProtocolsController < ApplicationController

  def update_keywords
    respond_to do |format|
+      # sanitize user input
+      params[:keywords].collect! do |keyword|
+        ActionController::Base.helpers.sanitize(keyword)
+      end
      if @protocol.update_keywords(params[:keywords])
        format.json {
          render json: {
--- a/app/views/protocols/header/_keywords_label.html.erb
+++ b/app/views/protocols/header/_keywords_label.html.erb
@ -1,5 +1,5 @@
 <% if @protocol.protocol_keywords.count > 0 %>
-  <%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{kw.name}</strong>" }.join(", ").html_safe %>
+  <%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{sanitize(kw.name)}</strong>" }.join(", ").html_safe %>
 <% else %>
  <em><%= t("protocols.no_keywords") %></em>
-<% end %>
+<% end %>