diff --git a/app/controllers/experiments_controller.rb b/app/controllers/experiments_controller.rb
index 8e1b4ebaf..1713254b4 100644
--- a/app/controllers/experiments_controller.rb
+++ b/app/controllers/experiments_controller.rb
@@ -1,6 +1,7 @@
class ExperimentsController < ApplicationController
include PermissionHelper
include OrganizationsHelper
+ include InputSanitizeHelper
before_action :set_experiment,
except: [:new, :create]
@@ -249,7 +250,8 @@ class ExperimentsController < ApplicationController
respond_to do |format|
format.json do
render json: { message: t('experiments.move.error_flash',
- experiment: @experiment.name) },
+ experiment:
+ sanitize_input(@experiment.name)) },
status: :unprocessable_entity
end
end
diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb
index 26334ca73..b81fbe722 100644
--- a/app/controllers/my_modules_controller.rb
+++ b/app/controllers/my_modules_controller.rb
@@ -1,6 +1,7 @@
class MyModulesController < ApplicationController
include SampleActions
include OrganizationsHelper
+ include InputSanitizeHelper
before_action :load_vars, only: [
:show, :update, :destroy,
@@ -53,7 +54,8 @@ class MyModulesController < ApplicationController
html: render_to_string({
partial: "description.html.erb"
}),
- title: t("my_modules.description.title", module: @my_module.name)
+ title: t('my_modules.description.title',
+ module: sanitize_input(@my_module.name))
}
}
end
@@ -124,7 +126,8 @@ class MyModulesController < ApplicationController
html: render_to_string({
partial: "due_date.html.erb"
}),
- title: t("my_modules.due_date.title", module: @my_module.name)
+ title: t('my_modules.due_date.title',
+ module: sanitize_input(@my_module.name))
}
}
end
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index 1eb41e537..3105c86ab 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -2,6 +2,7 @@ class ProjectsController < ApplicationController
include SampleActions
include RenamingUtil
include OrganizationsHelper
+ include InputSanitizeHelper
before_action :load_vars, only: [:show, :edit, :update,
:notifications, :reports,
@@ -104,7 +105,8 @@ class ProjectsController < ApplicationController
partial: "edit.html.erb",
locals: { project: @project }
}),
- title: t("projects.index.modal_edit_project.modal_title", project: @project.name)
+ title: t('projects.index.modal_edit_project.modal_title',
+ project: sanitize_input(@project.name))
}
}
end
diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb
index 2b951906c..c7996c2e2 100644
--- a/app/controllers/protocols_controller.rb
+++ b/app/controllers/protocols_controller.rb
@@ -2,6 +2,7 @@ class ProtocolsController < ApplicationController
include RenamingUtil
include ProtocolsImporter
include ProtocolsExporter
+ include InputSanitizeHelper
before_action :check_create_permissions, only: [
:create_new_modal,
@@ -104,7 +105,8 @@ class ProtocolsController < ApplicationController
respond_to do |format|
format.json {
render json: {
- title: I18n.t("protocols.index.linked_children.title", protocol: @protocol.name),
+ title: I18n.t('protocols.index.linked_children.title',
+ protocol: sanitize_input(@protocol.name)),
html: render_to_string({
partial: "protocols/index/linked_children_modal_body.html.erb",
locals: { protocol: @protocol }
@@ -700,7 +702,8 @@ class ProtocolsController < ApplicationController
respond_to do |format|
format.json {
render json: {
- title: I18n.t("protocols.header.edit_name_modal.title", protocol: @protocol.name),
+ title: I18n.t('protocols.header.edit_name_modal.title',
+ protocol: sanitize_input(@protocol.name)),
html: render_to_string({
partial: "protocols/header/edit_name_modal_body.html.erb"
})
@@ -713,7 +716,8 @@ class ProtocolsController < ApplicationController
respond_to do |format|
format.json {
render json: {
- title: I18n.t("protocols.header.edit_keywords_modal.title", protocol: @protocol.name),
+ title: I18n.t('protocols.header.edit_keywords_modal.title',
+ protocol: sanitize_input(@protocol.name)),
html: render_to_string({
partial: "protocols/header/edit_keywords_modal_body.html.erb"
}),
@@ -727,7 +731,8 @@ class ProtocolsController < ApplicationController
respond_to do |format|
format.json {
render json: {
- title: I18n.t("protocols.header.edit_authors_modal.title", protocol: @protocol.name),
+ title: I18n.t('protocols.header.edit_authors_modal.title',
+ protocol: sanitize_input(@protocol.name)),
html: render_to_string({
partial: "protocols/header/edit_authors_modal_body.html.erb"
})
@@ -740,7 +745,8 @@ class ProtocolsController < ApplicationController
respond_to do |format|
format.json {
render json: {
- title: I18n.t("protocols.header.edit_description_modal.title", protocol: @protocol.name),
+ title: I18n.t('protocols.header.edit_description_modal.title',
+ protocol: sanitize_input(@protocol.name)),
html: render_to_string({
partial: "protocols/header/edit_description_modal_body.html.erb"
})
diff --git a/app/controllers/samples_controller.rb b/app/controllers/samples_controller.rb
index 086d55c2e..40c65b6a3 100644
--- a/app/controllers/samples_controller.rb
+++ b/app/controllers/samples_controller.rb
@@ -1,4 +1,6 @@
class SamplesController < ApplicationController
+ include InputSanitizeHelper
+
before_action :load_vars, only: [:edit, :update, :destroy, :show]
before_action :load_vars_nested, only: [:new, :create]
@@ -115,7 +117,7 @@ class SamplesController < ApplicationController
def edit
json = {
sample: {
- name: @sample.name,
+ name: sanitize_input(@sample.name),
sample_type: @sample.sample_type.nil? ? "" : @sample.sample_type.id,
sample_group: @sample.sample_group.nil? ? "" : @sample.sample_group.id,
custom_fields: {}
@@ -128,7 +130,7 @@ class SamplesController < ApplicationController
@sample.sample_custom_fields.each do |scf|
json[:sample][:custom_fields][scf.custom_field_id] = {
sample_custom_field_id: scf.id,
- value: scf.value
+ value: sanitize_input(scf.value)
}
end
@@ -255,7 +257,7 @@ class SamplesController < ApplicationController
flash: t(
'samples.update.success_flash',
sample: sample.name,
- organization: @organization.name
+ organization: sanitize_input(@organization.name)
)
},
status: :ok
diff --git a/app/controllers/users/settings_controller.rb b/app/controllers/users/settings_controller.rb
index 805341aaf..2fdce61fa 100644
--- a/app/controllers/users/settings_controller.rb
+++ b/app/controllers/users/settings_controller.rb
@@ -1,6 +1,7 @@
class Users::SettingsController < ApplicationController
include UsersGenerator
include NotificationsHelper
+ include InputSanitizeHelper
before_action :load_user, only: [
:preferences,
@@ -184,7 +185,7 @@ class Users::SettingsController < ApplicationController
}),
heading: I18n.t(
"users.settings.organizations.index.leave_uo_heading",
- org: @user_org.organization.name
+ org: sanitize_input(@user_org.organization.name)
)
}
}
@@ -201,8 +202,8 @@ class Users::SettingsController < ApplicationController
}),
heading: I18n.t(
"users.settings.organizations.edit.destroy_uo_heading",
- user: @user_org.user.full_name,
- org: @user_org.organization.name
+ user: sanitize_input(@user_org.user.full_name),
+ org: sanitize_input(@user_org.organization.name)
)
}
}
diff --git a/app/datatables/load_from_repository_protocols_datatable.rb b/app/datatables/load_from_repository_protocols_datatable.rb
index bea5a5a37..a34c3d015 100644
--- a/app/datatables/load_from_repository_protocols_datatable.rb
+++ b/app/datatables/load_from_repository_protocols_datatable.rb
@@ -1,6 +1,7 @@
class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
# Needed for sanitize_sql_like method
include ActiveRecord::Sanitization::ClassMethods
+ include InputSanitizeHelper
def initialize(view, organization, type, user)
super(view)
@@ -69,13 +70,13 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
def data
records.map do |record|
{
- "DT_RowId": record.id,
- "1": record.name,
- "2": keywords_html(record),
- "3": record.nr_of_linked_children,
- "4": record.full_username_str,
- "5": timestamp_column_html(record),
- "6": I18n.l(record.updated_at, format: :full)
+ 'DT_RowId': record.id,
+ '1': sanitize_input(record.name),
+ '2': keywords_html(record),
+ '3': record.nr_of_linked_children,
+ '4': sanitize_input(record.full_username_str),
+ '5': timestamp_column_html(record),
+ '6': I18n.l(record.updated_at, format: :full)
}
end
end
@@ -140,7 +141,7 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
kws.sort_by{ |word| word.downcase }.each do |kw|
res << "#{kw}"
end
- res.join(", ")
+ sanitize_input(res.join(', '))
end
end
diff --git a/app/datatables/organization_users_datatable.rb b/app/datatables/organization_users_datatable.rb
index 3b45e0702..afbb411be 100644
--- a/app/datatables/organization_users_datatable.rb
+++ b/app/datatables/organization_users_datatable.rb
@@ -1,4 +1,6 @@
class OrganizationUsersDatatable < AjaxDatatablesRails::Base
+ include InputSanitizeHelper
+
def_delegator :@view, :link_to
def_delegator :@view, :update_user_organization_path
def_delegator :@view, :destroy_user_organization_html_path
@@ -49,13 +51,13 @@ class OrganizationUsersDatatable < AjaxDatatablesRails::Base
def data
records.map do |record|
{
- "DT_RowId": record.id,
- "0": record.user.full_name,
- "1": record.user.email,
- "2": I18n.l(record.created_at, format: :full),
- "3": record.user.active_status_str,
- "4": record.role_str,
- "5": ApplicationController.new.render_to_string(
+ 'DT_RowId': record.id,
+ '0': sanitize_input(record.user.full_name),
+ '1': sanitize_input(record.user.email),
+ '2': I18n.l(record.created_at, format: :full),
+ '3': record.user.active_status_str,
+ '4': record.role_str,
+ '5': ApplicationController.new.render_to_string(
partial: "users/settings/organizations/user_dropdown.html.erb",
locals: {
user_organization: record,
diff --git a/app/datatables/protocols_datatable.rb b/app/datatables/protocols_datatable.rb
index 1c6ecab6c..f6da64703 100644
--- a/app/datatables/protocols_datatable.rb
+++ b/app/datatables/protocols_datatable.rb
@@ -1,6 +1,7 @@
class ProtocolsDatatable < AjaxDatatablesRails::Base
# Needed for sanitize_sql_like method
include ActiveRecord::Sanitization::ClassMethods
+ include InputSanitizeHelper
def_delegator :@view, :can_edit_protocol
def_delegator :@view, :edit_protocol_path
@@ -83,24 +84,34 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
records.each do |record|
protocol = Protocol.find(record.id)
result_data << {
- "DT_RowId": record.id,
- "DT_CanEdit": can_edit_protocol(protocol),
- "DT_EditUrl": can_edit_protocol(protocol) ?
- edit_protocol_path(protocol, organization: @organization, type: @type) : nil,
- "DT_CanClone": can_clone_protocol(protocol),
- "DT_CloneUrl": can_clone_protocol(protocol) ?
- clone_protocol_path(protocol, organization: @organization, type: @type) : nil,
- "DT_CanMakePrivate": can_make_protocol_private(protocol),
- "DT_CanPublish": can_publish_protocol(protocol),
- "DT_CanArchive": can_archive_protocol(protocol),
- "DT_CanRestore": can_restore_protocol(protocol),
- "DT_CanExport": can_export_protocol(protocol),
- "1": protocol.in_repository_archived? ? record.name : name_html(record),
- "2": keywords_html(record),
- "3": modules_html(record),
- "4": record.full_username_str,
- "5": timestamp_column_html(record),
- "6": I18n.l(record.updated_at, format: :full)
+ 'DT_RowId': record.id,
+ 'DT_CanEdit': can_edit_protocol(protocol),
+ 'DT_EditUrl': if can_edit_protocol(protocol)
+ edit_protocol_path(protocol,
+ organization: @organization,
+ type: @type)
+ end,
+ 'DT_CanClone': can_clone_protocol(protocol),
+ 'DT_CloneUrl': if can_clone_protocol(protocol)
+ clone_protocol_path(protocol,
+ organization: @organization,
+ type: @type)
+ end,
+ 'DT_CanMakePrivate': can_make_protocol_private(protocol),
+ 'DT_CanPublish': can_publish_protocol(protocol),
+ 'DT_CanArchive': can_archive_protocol(protocol),
+ 'DT_CanRestore': can_restore_protocol(protocol),
+ 'DT_CanExport': can_export_protocol(protocol),
+ '1': if protocol.in_repository_archived?
+ sanitize_input(record.name)
+ else
+ name_html(record)
+ end,
+ '2': keywords_html(record),
+ '3': modules_html(record),
+ '4': sanitize_input(record.full_username_str),
+ '5': timestamp_column_html(record),
+ '6': I18n.l(record.updated_at, format: :full)
}
end
result_data
@@ -168,7 +179,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
def name_html(record)
"" \
- "#{record.name}" \
+ "#{sanitize_input(record.name)}" \
""
end
@@ -181,7 +192,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
kws.sort_by{ |word| word.downcase }.each do |kw|
res << "#{kw}"
end
- res.join(", ")
+ sanitize_input(res.join(', '))
end
end
diff --git a/app/datatables/sample_datatable.rb b/app/datatables/sample_datatable.rb
index 90af5ec62..45bfe86a9 100644
--- a/app/datatables/sample_datatable.rb
+++ b/app/datatables/sample_datatable.rb
@@ -3,6 +3,7 @@ require 'active_record'
class SampleDatatable < AjaxDatatablesRails::Base
include ActionView::Helpers::TextHelper
include SamplesHelper
+ include InputSanitizeHelper
ASSIGNED_SORT_COL = 'assigned'
@@ -105,15 +106,26 @@ class SampleDatatable < AjaxDatatablesRails::Base
sample = {
'DT_RowId': record.id,
'1': assigned_cell(record),
- '2': record.name,
- '3': record.sample_type.nil? ? I18n.t('samples.table.no_type') : record.sample_type.name,
- '4': record.sample_group.nil? ?
- " " + I18n.t("samples.table.no_group") :
- " " + record.sample_group.name,
- "5": I18n.l(record.created_at, format: :full),
- "6": record.user.full_name,
- "sampleInfoUrl": Rails.application.routes.url_helpers.edit_sample_path(record.id),
- "sampleUpdateUrl": Rails.application.routes.url_helpers.sample_path(record.id)
+ '2': sanitize_input(record.name),
+ '3': if record.sample_type.nil?
+ I18n.t('samples.table.no_type')
+ else
+ sanitize_input(record.sample_type.name)
+ end,
+ '4': if record.sample_group.nil?
+ " " +
+ I18n.t('samples.table.no_group')
+ else
+ " " +
+ sanitize_input(record.sample_group.name)
+ end,
+ '5': I18n.l(record.created_at, format: :full),
+ '6': sanitize_input(record.user.full_name),
+ 'sampleInfoUrl':
+ Rails.application.routes.url_helpers.edit_sample_path(record.id),
+ 'sampleUpdateUrl':
+ Rails.application.routes.url_helpers.sample_path(record.id)
}
# Add custom attributes