SAnitize AJAX calls in controllers and datatables [SCI-102]

app/controllers/experiments_controller.rb

@@ -1,6 +1,7 @@
 class ExperimentsController < ApplicationController
   include PermissionHelper
   include OrganizationsHelper
+  include InputSanitizeHelper
 
   before_action :set_experiment,
                 except: [:new, :create]
@@ -249,7 +250,8 @@ class ExperimentsController < ApplicationController
       respond_to do |format|
         format.json do
           render json: { message: t('experiments.move.error_flash',
-                                    experiment: @experiment.name) },
+                                    experiment:
+                                      sanitize_input(@experiment.name)) },
                                     status: :unprocessable_entity
         end
       end

app/controllers/my_modules_controller.rb

@@ -1,6 +1,7 @@
 class MyModulesController < ApplicationController
   include SampleActions
   include OrganizationsHelper
+  include InputSanitizeHelper
 
   before_action :load_vars, only: [
     :show, :update, :destroy,
@@ -53,7 +54,8 @@ class MyModulesController < ApplicationController
           html: render_to_string({
             partial: "description.html.erb"
           }),
-          title: t("my_modules.description.title", module: @my_module.name)
+          title: t('my_modules.description.title',
+                   module: sanitize_input(@my_module.name))
         }
       }
     end
@@ -124,7 +126,8 @@ class MyModulesController < ApplicationController
           html: render_to_string({
             partial: "due_date.html.erb"
           }),
-          title: t("my_modules.due_date.title", module: @my_module.name)
+          title: t('my_modules.due_date.title',
+                   module: sanitize_input(@my_module.name))
         }
       }
     end

app/controllers/projects_controller.rb

@@ -2,6 +2,7 @@ class ProjectsController < ApplicationController
   include SampleActions
   include RenamingUtil
   include OrganizationsHelper
+  include InputSanitizeHelper
 
   before_action :load_vars, only: [:show, :edit, :update,
                                    :notifications, :reports,
@@ -104,7 +105,8 @@ class ProjectsController < ApplicationController
             partial: "edit.html.erb",
             locals: { project: @project }
           }),
-          title: t("projects.index.modal_edit_project.modal_title", project: @project.name)
+          title: t('projects.index.modal_edit_project.modal_title',
+                   project: sanitize_input(@project.name))
         }
       }
     end

app/controllers/protocols_controller.rb

@@ -2,6 +2,7 @@ class ProtocolsController < ApplicationController
   include RenamingUtil
   include ProtocolsImporter
   include ProtocolsExporter
+  include InputSanitizeHelper
 
   before_action :check_create_permissions, only: [
     :create_new_modal,
@@ -104,7 +105,8 @@ class ProtocolsController < ApplicationController
     respond_to do |format|
       format.json {
         render json: {
-          title: I18n.t("protocols.index.linked_children.title", protocol: @protocol.name),
+          title: I18n.t('protocols.index.linked_children.title',
+                        protocol: sanitize_input(@protocol.name)),
           html: render_to_string({
             partial: "protocols/index/linked_children_modal_body.html.erb",
             locals: { protocol: @protocol }
@@ -700,7 +702,8 @@ class ProtocolsController < ApplicationController
     respond_to do |format|
       format.json {
         render json: {
-          title: I18n.t("protocols.header.edit_name_modal.title", protocol: @protocol.name),
+          title: I18n.t('protocols.header.edit_name_modal.title',
+                        protocol: sanitize_input(@protocol.name)),
           html: render_to_string({
             partial: "protocols/header/edit_name_modal_body.html.erb"
           })
@@ -713,7 +716,8 @@ class ProtocolsController < ApplicationController
     respond_to do |format|
       format.json {
         render json: {
-          title: I18n.t("protocols.header.edit_keywords_modal.title", protocol: @protocol.name),
+          title: I18n.t('protocols.header.edit_keywords_modal.title',
+                        protocol: sanitize_input(@protocol.name)),
           html: render_to_string({
             partial: "protocols/header/edit_keywords_modal_body.html.erb"
           }),
@@ -727,7 +731,8 @@ class ProtocolsController < ApplicationController
     respond_to do |format|
       format.json {
         render json: {
-          title: I18n.t("protocols.header.edit_authors_modal.title", protocol: @protocol.name),
+          title: I18n.t('protocols.header.edit_authors_modal.title',
+                        protocol: sanitize_input(@protocol.name)),
           html: render_to_string({
             partial: "protocols/header/edit_authors_modal_body.html.erb"
           })
@@ -740,7 +745,8 @@ class ProtocolsController < ApplicationController
     respond_to do |format|
       format.json {
         render json: {
-          title: I18n.t("protocols.header.edit_description_modal.title", protocol: @protocol.name),
+          title: I18n.t('protocols.header.edit_description_modal.title',
+                        protocol: sanitize_input(@protocol.name)),
           html: render_to_string({
             partial: "protocols/header/edit_description_modal_body.html.erb"
           })

app/controllers/samples_controller.rb

@@ -1,4 +1,6 @@
 class SamplesController < ApplicationController
+  include InputSanitizeHelper
+
   before_action :load_vars, only: [:edit, :update, :destroy, :show]
   before_action :load_vars_nested, only: [:new, :create]
 
@@ -115,7 +117,7 @@ class SamplesController < ApplicationController
   def edit
     json = {
       sample: {
-        name: @sample.name,
+        name: sanitize_input(@sample.name),
         sample_type: @sample.sample_type.nil? ? "" : @sample.sample_type.id,
         sample_group: @sample.sample_group.nil? ? "" : @sample.sample_group.id,
         custom_fields: {}
@@ -128,7 +130,7 @@ class SamplesController < ApplicationController
     @sample.sample_custom_fields.each do |scf|
       json[:sample][:custom_fields][scf.custom_field_id] = {
         sample_custom_field_id: scf.id,
-        value: scf.value
+        value: sanitize_input(scf.value)
       }
     end
 
@@ -255,7 +257,7 @@ class SamplesController < ApplicationController
                 flash: t(
                   'samples.update.success_flash',
                   sample: sample.name,
-                  organization: @organization.name
+                  organization: sanitize_input(@organization.name)
                 )
               },
               status: :ok

app/controllers/users/settings_controller.rb

@@ -1,6 +1,7 @@
 class Users::SettingsController < ApplicationController
   include UsersGenerator
   include NotificationsHelper
+  include InputSanitizeHelper
 
   before_action :load_user, only: [
     :preferences,
@@ -184,7 +185,7 @@ class Users::SettingsController < ApplicationController
           }),
           heading: I18n.t(
             "users.settings.organizations.index.leave_uo_heading",
-            org: @user_org.organization.name
+            org: sanitize_input(@user_org.organization.name)
           )
         }
       }
@@ -201,8 +202,8 @@ class Users::SettingsController < ApplicationController
           }),
           heading: I18n.t(
             "users.settings.organizations.edit.destroy_uo_heading",
-            user: @user_org.user.full_name,
-            org: @user_org.organization.name
+            user: sanitize_input(@user_org.user.full_name),
+            org: sanitize_input(@user_org.organization.name)
           )
         }
       }

app/datatables/load_from_repository_protocols_datatable.rb

@@ -1,6 +1,7 @@
 class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
   # Needed for sanitize_sql_like method
   include ActiveRecord::Sanitization::ClassMethods
+  include InputSanitizeHelper
 
   def initialize(view, organization, type, user)
     super(view)
@@ -69,13 +70,13 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
   def data
     records.map do |record|
       {
-        "DT_RowId": record.id,
-        "1": record.name,
-        "2": keywords_html(record),
-        "3": record.nr_of_linked_children,
-        "4": record.full_username_str,
-        "5": timestamp_column_html(record),
-        "6": I18n.l(record.updated_at, format: :full)
+        'DT_RowId': record.id,
+        '1': sanitize_input(record.name),
+        '2': keywords_html(record),
+        '3': record.nr_of_linked_children,
+        '4': sanitize_input(record.full_username_str),
+        '5': timestamp_column_html(record),
+        '6': I18n.l(record.updated_at, format: :full)
       }
     end
   end
@@ -140,7 +141,7 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
       kws.sort_by{ |word| word.downcase }.each do |kw|
         res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>"
       end
-      res.join(", ")
+      sanitize_input(res.join(', '))
     end
   end
 

app/datatables/organization_users_datatable.rb

@@ -1,4 +1,6 @@
 class OrganizationUsersDatatable < AjaxDatatablesRails::Base
+  include InputSanitizeHelper
+
   def_delegator :@view, :link_to
   def_delegator :@view, :update_user_organization_path
   def_delegator :@view, :destroy_user_organization_html_path
@@ -49,13 +51,13 @@ class OrganizationUsersDatatable < AjaxDatatablesRails::Base
   def data
     records.map do |record|
       {
-        "DT_RowId": record.id,
-        "0": record.user.full_name,
-        "1": record.user.email,
-        "2": I18n.l(record.created_at, format: :full),
-        "3": record.user.active_status_str,
-        "4": record.role_str,
-        "5": ApplicationController.new.render_to_string(
+        'DT_RowId': record.id,
+        '0': sanitize_input(record.user.full_name),
+        '1': sanitize_input(record.user.email),
+        '2': I18n.l(record.created_at, format: :full),
+        '3': record.user.active_status_str,
+        '4': record.role_str,
+        '5': ApplicationController.new.render_to_string(
           partial: "users/settings/organizations/user_dropdown.html.erb",
           locals: {
             user_organization: record,

app/datatables/protocols_datatable.rb

@@ -1,6 +1,7 @@
 class ProtocolsDatatable < AjaxDatatablesRails::Base
   # Needed for sanitize_sql_like method
   include ActiveRecord::Sanitization::ClassMethods
+  include InputSanitizeHelper
 
   def_delegator :@view, :can_edit_protocol
   def_delegator :@view, :edit_protocol_path
@@ -83,24 +84,34 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
     records.each do |record|
       protocol = Protocol.find(record.id)
       result_data << {
-        "DT_RowId": record.id,
-        "DT_CanEdit": can_edit_protocol(protocol),
-        "DT_EditUrl": can_edit_protocol(protocol) ?
-          edit_protocol_path(protocol, organization: @organization, type: @type) : nil,
-        "DT_CanClone": can_clone_protocol(protocol),
-        "DT_CloneUrl": can_clone_protocol(protocol) ?
-          clone_protocol_path(protocol, organization: @organization, type: @type) : nil,
-        "DT_CanMakePrivate": can_make_protocol_private(protocol),
-        "DT_CanPublish": can_publish_protocol(protocol),
-        "DT_CanArchive": can_archive_protocol(protocol),
-        "DT_CanRestore": can_restore_protocol(protocol),
-        "DT_CanExport": can_export_protocol(protocol),
-        "1": protocol.in_repository_archived? ? record.name : name_html(record),
-        "2": keywords_html(record),
-        "3": modules_html(record),
-        "4": record.full_username_str,
-        "5": timestamp_column_html(record),
-        "6": I18n.l(record.updated_at, format: :full)
+        'DT_RowId': record.id,
+        'DT_CanEdit': can_edit_protocol(protocol),
+        'DT_EditUrl': if can_edit_protocol(protocol)
+                        edit_protocol_path(protocol,
+                                           organization: @organization,
+                                           type: @type)
+                      end,
+        'DT_CanClone': can_clone_protocol(protocol),
+        'DT_CloneUrl': if can_clone_protocol(protocol)
+                         clone_protocol_path(protocol,
+                                             organization: @organization,
+                                             type: @type)
+                       end,
+        'DT_CanMakePrivate': can_make_protocol_private(protocol),
+        'DT_CanPublish': can_publish_protocol(protocol),
+        'DT_CanArchive': can_archive_protocol(protocol),
+        'DT_CanRestore': can_restore_protocol(protocol),
+        'DT_CanExport': can_export_protocol(protocol),
+        '1': if protocol.in_repository_archived?
+               sanitize_input(record.name)
+             else
+               name_html(record)
+             end,
+        '2': keywords_html(record),
+        '3': modules_html(record),
+        '4': sanitize_input(record.full_username_str),
+        '5': timestamp_column_html(record),
+        '6': I18n.l(record.updated_at, format: :full)
       }
     end
     result_data
@@ -168,7 +179,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
   def name_html(record)
     "<a href='#' data-action='protocol-preview'" \
       "data-url='#{preview_protocol_path(record)}'>" \
-      "#{record.name}" \
+      "#{sanitize_input(record.name)}" \
       "</a>"
   end
 
@@ -181,7 +192,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
       kws.sort_by{ |word| word.downcase }.each do |kw|
         res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>"
       end
-      res.join(", ")
+      sanitize_input(res.join(', '))
     end
   end
 

app/datatables/sample_datatable.rb

@@ -3,6 +3,7 @@ require 'active_record'
 class SampleDatatable < AjaxDatatablesRails::Base
   include ActionView::Helpers::TextHelper
   include SamplesHelper
+  include InputSanitizeHelper
 
   ASSIGNED_SORT_COL = 'assigned'
 
@@ -105,15 +106,26 @@ class SampleDatatable < AjaxDatatablesRails::Base
       sample = {
         'DT_RowId': record.id,
         '1': assigned_cell(record),
-        '2': record.name,
-        '3': record.sample_type.nil? ? I18n.t('samples.table.no_type') : record.sample_type.name,
-        '4': record.sample_group.nil? ?
-        "<span class='glyphicon glyphicon-asterisk'></span> " + I18n.t("samples.table.no_group") :
-        "<span class='glyphicon glyphicon-asterisk' style='color: #{record.sample_group.color}'></span> " + record.sample_group.name,
-        "5": I18n.l(record.created_at, format: :full),
-          "6": record.user.full_name,
-          "sampleInfoUrl": Rails.application.routes.url_helpers.edit_sample_path(record.id),
-          "sampleUpdateUrl": Rails.application.routes.url_helpers.sample_path(record.id)
+        '2': sanitize_input(record.name),
+        '3': if record.sample_type.nil?
+               I18n.t('samples.table.no_type')
+             else
+               sanitize_input(record.sample_type.name)
+             end,
+        '4': if record.sample_group.nil?
+               "<span class='glyphicon glyphicon-asterisk'></span> " +
+                 I18n.t('samples.table.no_group')
+             else
+               "<span class='glyphicon glyphicon-asterisk' "\
+               "style='color: #{record.sample_group.color}'></span> " +
+                 sanitize_input(record.sample_group.name)
+             end,
+        '5': I18n.l(record.created_at, format: :full),
+        '6': sanitize_input(record.user.full_name),
+        'sampleInfoUrl':
+          Rails.application.routes.url_helpers.edit_sample_path(record.id),
+        'sampleUpdateUrl':
+          Rails.application.routes.url_helpers.sample_path(record.id)
       }
 
       # Add custom attributes