scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-10-26 22:16:28 +08:00
Code Issues Projects Releases Packages Wiki Activity

SAnitize AJAX calls in controllers and datatables [SCI-102]

Browse source
This commit is contained in:
Oleksii Kriuchykhin 2017-01-04 15:04:12 +01:00
parent cd3924afd3
commit 835e982292
10 changed files with 101 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/experiments_controller.rb
View file

@ -1,6 +1,7 @@
class ExperimentsController < ApplicationController class ExperimentsController < ApplicationController
include PermissionHelper include PermissionHelper
include OrganizationsHelper include OrganizationsHelper
include InputSanitizeHelper
before_action :set_experiment, before_action :set_experiment,
except: [:new, :create] except: [:new, :create]
@ -249,7 +250,8 @@ class ExperimentsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json do format.json do
render json: { message: t('experiments.move.error_flash', render json: { message: t('experiments.move.error_flash',
experiment: @experiment.name) }, experiment:
sanitize_input(@experiment.name)) },
status: :unprocessable_entity status: :unprocessable_entity
end end
end end

7
app/controllers/my_modules_controller.rb
View file

@ -1,6 +1,7 @@
class MyModulesController < ApplicationController class MyModulesController < ApplicationController
include SampleActions include SampleActions
include OrganizationsHelper include OrganizationsHelper
include InputSanitizeHelper
before_action :load_vars, only: [ before_action :load_vars, only: [
:show, :update, :destroy, :show, :update, :destroy,
@ -53,7 +54,8 @@ class MyModulesController < ApplicationController
html: render_to_string({ html: render_to_string({
partial: "description.html.erb" partial: "description.html.erb"
}), }),
title: t("my_modules.description.title", module: @my_module.name) title: t('my_modules.description.title',
module: sanitize_input(@my_module.name))
} }
} }
end end
@ -124,7 +126,8 @@ class MyModulesController < ApplicationController
html: render_to_string({ html: render_to_string({
partial: "due_date.html.erb" partial: "due_date.html.erb"
}), }),
title: t("my_modules.due_date.title", module: @my_module.name) title: t('my_modules.due_date.title',
module: sanitize_input(@my_module.name))
} }
} }
end end

4
app/controllers/projects_controller.rb
View file

@ -2,6 +2,7 @@ class ProjectsController < ApplicationController
include SampleActions include SampleActions
include RenamingUtil include RenamingUtil
include OrganizationsHelper include OrganizationsHelper
include InputSanitizeHelper
before_action :load_vars, only: [:show, :edit, :update, before_action :load_vars, only: [:show, :edit, :update,
:notifications, :reports, :notifications, :reports,
@ -104,7 +105,8 @@ class ProjectsController < ApplicationController
partial: "edit.html.erb", partial: "edit.html.erb",
locals: { project: @project } locals: { project: @project }
}), }),
title: t("projects.index.modal_edit_project.modal_title", project: @project.name) title: t('projects.index.modal_edit_project.modal_title',
project: sanitize_input(@project.name))
} }
} }
end end

16
app/controllers/protocols_controller.rb
View file

@ -2,6 +2,7 @@ class ProtocolsController < ApplicationController
include RenamingUtil include RenamingUtil
include ProtocolsImporter include ProtocolsImporter
include ProtocolsExporter include ProtocolsExporter
include InputSanitizeHelper
before_action :check_create_permissions, only: [ before_action :check_create_permissions, only: [
:create_new_modal, :create_new_modal,
@ -104,7 +105,8 @@ class ProtocolsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json { format.json {
render json: { render json: {
title: I18n.t("protocols.index.linked_children.title", protocol: @protocol.name), title: I18n.t('protocols.index.linked_children.title',
protocol: sanitize_input(@protocol.name)),
html: render_to_string({ html: render_to_string({
partial: "protocols/index/linked_children_modal_body.html.erb", partial: "protocols/index/linked_children_modal_body.html.erb",
locals: { protocol: @protocol } locals: { protocol: @protocol }
@ -700,7 +702,8 @@ class ProtocolsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json { format.json {
render json: { render json: {
title: I18n.t("protocols.header.edit_name_modal.title", protocol: @protocol.name), title: I18n.t('protocols.header.edit_name_modal.title',
protocol: sanitize_input(@protocol.name)),
html: render_to_string({ html: render_to_string({
partial: "protocols/header/edit_name_modal_body.html.erb" partial: "protocols/header/edit_name_modal_body.html.erb"
}) })
@ -713,7 +716,8 @@ class ProtocolsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json { format.json {
render json: { render json: {
title: I18n.t("protocols.header.edit_keywords_modal.title", protocol: @protocol.name), title: I18n.t('protocols.header.edit_keywords_modal.title',
protocol: sanitize_input(@protocol.name)),
html: render_to_string({ html: render_to_string({
partial: "protocols/header/edit_keywords_modal_body.html.erb" partial: "protocols/header/edit_keywords_modal_body.html.erb"
}), }),
@ -727,7 +731,8 @@ class ProtocolsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json { format.json {
render json: { render json: {
title: I18n.t("protocols.header.edit_authors_modal.title", protocol: @protocol.name), title: I18n.t('protocols.header.edit_authors_modal.title',
protocol: sanitize_input(@protocol.name)),
html: render_to_string({ html: render_to_string({
partial: "protocols/header/edit_authors_modal_body.html.erb" partial: "protocols/header/edit_authors_modal_body.html.erb"
}) })
@ -740,7 +745,8 @@ class ProtocolsController < ApplicationController
respond_to do |format| respond_to do |format|
format.json { format.json {
render json: { render json: {
title: I18n.t("protocols.header.edit_description_modal.title", protocol: @protocol.name), title: I18n.t('protocols.header.edit_description_modal.title',
protocol: sanitize_input(@protocol.name)),
html: render_to_string({ html: render_to_string({
partial: "protocols/header/edit_description_modal_body.html.erb" partial: "protocols/header/edit_description_modal_body.html.erb"
}) })

8
app/controllers/samples_controller.rb
View file

@ -1,4 +1,6 @@
class SamplesController < ApplicationController class SamplesController < ApplicationController
include InputSanitizeHelper
before_action :load_vars, only: [:edit, :update, :destroy, :show] before_action :load_vars, only: [:edit, :update, :destroy, :show]
before_action :load_vars_nested, only: [:new, :create] before_action :load_vars_nested, only: [:new, :create]
@ -115,7 +117,7 @@ class SamplesController < ApplicationController
def edit def edit
json = { json = {
sample: { sample: {
name: @sample.name, name: sanitize_input(@sample.name),
sample_type: @sample.sample_type.nil? ? "" : @sample.sample_type.id, sample_type: @sample.sample_type.nil? ? "" : @sample.sample_type.id,
sample_group: @sample.sample_group.nil? ? "" : @sample.sample_group.id, sample_group: @sample.sample_group.nil? ? "" : @sample.sample_group.id,
custom_fields: {} custom_fields: {}
@ -128,7 +130,7 @@ class SamplesController < ApplicationController
@sample.sample_custom_fields.each do |scf| @sample.sample_custom_fields.each do |scf|
json[:sample][:custom_fields][scf.custom_field_id] = { json[:sample][:custom_fields][scf.custom_field_id] = {
sample_custom_field_id: scf.id, sample_custom_field_id: scf.id,
value: scf.value value: sanitize_input(scf.value)
} }
end end
@ -255,7 +257,7 @@ class SamplesController < ApplicationController
flash: t( flash: t(
'samples.update.success_flash', 'samples.update.success_flash',
sample: sample.name, sample: sample.name,
organization: @organization.name organization: sanitize_input(@organization.name)
) )
}, },
status: :ok status: :ok

7
app/controllers/users/settings_controller.rb
View file

@ -1,6 +1,7 @@
class Users::SettingsController < ApplicationController class Users::SettingsController < ApplicationController
include UsersGenerator include UsersGenerator
include NotificationsHelper include NotificationsHelper
include InputSanitizeHelper
before_action :load_user, only: [ before_action :load_user, only: [
:preferences, :preferences,
@ -184,7 +185,7 @@ class Users::SettingsController < ApplicationController
}), }),
heading: I18n.t( heading: I18n.t(
"users.settings.organizations.index.leave_uo_heading", "users.settings.organizations.index.leave_uo_heading",
org: @user_org.organization.name org: sanitize_input(@user_org.organization.name)
) )
} }
} }
@ -201,8 +202,8 @@ class Users::SettingsController < ApplicationController
}), }),
heading: I18n.t( heading: I18n.t(
"users.settings.organizations.edit.destroy_uo_heading", "users.settings.organizations.edit.destroy_uo_heading",
user: @user_org.user.full_name, user: sanitize_input(@user_org.user.full_name),
org: @user_org.organization.name org: sanitize_input(@user_org.organization.name)
) )
} }
} }

17
app/datatables/load_from_repository_protocols_datatable.rb
View file

@ -1,6 +1,7 @@
class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
# Needed for sanitize_sql_like method # Needed for sanitize_sql_like method
include ActiveRecord::Sanitization::ClassMethods include ActiveRecord::Sanitization::ClassMethods
include InputSanitizeHelper
def initialize(view, organization, type, user) def initialize(view, organization, type, user)
super(view) super(view)
@ -69,13 +70,13 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
def data def data
records.map do |record| records.map do |record|
{ {
"DT_RowId": record.id, 'DT_RowId': record.id,
"1": record.name, '1': sanitize_input(record.name),
"2": keywords_html(record), '2': keywords_html(record),
"3": record.nr_of_linked_children, '3': record.nr_of_linked_children,
"4": record.full_username_str, '4': sanitize_input(record.full_username_str),
"5": timestamp_column_html(record), '5': timestamp_column_html(record),
"6": I18n.l(record.updated_at, format: :full) '6': I18n.l(record.updated_at, format: :full)
} }
end end
end end
@ -140,7 +141,7 @@ class LoadFromRepositoryProtocolsDatatable < AjaxDatatablesRails::Base
kws.sort_by{ |word| word.downcase }.each do |kw| kws.sort_by{ |word| word.downcase }.each do |kw|
res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>" res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>"
end end
res.join(", ") sanitize_input(res.join(', '))
end end
end end

16
app/datatables/organization_users_datatable.rb
View file

@ -1,4 +1,6 @@
class OrganizationUsersDatatable < AjaxDatatablesRails::Base class OrganizationUsersDatatable < AjaxDatatablesRails::Base
include InputSanitizeHelper
def_delegator :@view, :link_to def_delegator :@view, :link_to
def_delegator :@view, :update_user_organization_path def_delegator :@view, :update_user_organization_path
def_delegator :@view, :destroy_user_organization_html_path def_delegator :@view, :destroy_user_organization_html_path
@ -49,13 +51,13 @@ class OrganizationUsersDatatable < AjaxDatatablesRails::Base
def data def data
records.map do |record| records.map do |record|
{ {
"DT_RowId": record.id, 'DT_RowId': record.id,
"0": record.user.full_name, '0': sanitize_input(record.user.full_name),
"1": record.user.email, '1': sanitize_input(record.user.email),
"2": I18n.l(record.created_at, format: :full), '2': I18n.l(record.created_at, format: :full),
"3": record.user.active_status_str, '3': record.user.active_status_str,
"4": record.role_str, '4': record.role_str,
"5": ApplicationController.new.render_to_string( '5': ApplicationController.new.render_to_string(
partial: "users/settings/organizations/user_dropdown.html.erb", partial: "users/settings/organizations/user_dropdown.html.erb",
locals: { locals: {
user_organization: record, user_organization: record,

51
app/datatables/protocols_datatable.rb
View file

@ -1,6 +1,7 @@
class ProtocolsDatatable < AjaxDatatablesRails::Base class ProtocolsDatatable < AjaxDatatablesRails::Base
# Needed for sanitize_sql_like method # Needed for sanitize_sql_like method
include ActiveRecord::Sanitization::ClassMethods include ActiveRecord::Sanitization::ClassMethods
include InputSanitizeHelper
def_delegator :@view, :can_edit_protocol def_delegator :@view, :can_edit_protocol
def_delegator :@view, :edit_protocol_path def_delegator :@view, :edit_protocol_path
@ -83,24 +84,34 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
records.each do |record| records.each do |record|
protocol = Protocol.find(record.id) protocol = Protocol.find(record.id)
result_data << { result_data << {
"DT_RowId": record.id, 'DT_RowId': record.id,
"DT_CanEdit": can_edit_protocol(protocol), 'DT_CanEdit': can_edit_protocol(protocol),
"DT_EditUrl": can_edit_protocol(protocol) ? 'DT_EditUrl': if can_edit_protocol(protocol)
edit_protocol_path(protocol, organization: @organization, type: @type) : nil, edit_protocol_path(protocol,
"DT_CanClone": can_clone_protocol(protocol), organization: @organization,
"DT_CloneUrl": can_clone_protocol(protocol) ? type: @type)
clone_protocol_path(protocol, organization: @organization, type: @type) : nil, end,
"DT_CanMakePrivate": can_make_protocol_private(protocol), 'DT_CanClone': can_clone_protocol(protocol),
"DT_CanPublish": can_publish_protocol(protocol), 'DT_CloneUrl': if can_clone_protocol(protocol)
"DT_CanArchive": can_archive_protocol(protocol), clone_protocol_path(protocol,
"DT_CanRestore": can_restore_protocol(protocol), organization: @organization,
"DT_CanExport": can_export_protocol(protocol), type: @type)
"1": protocol.in_repository_archived? ? record.name : name_html(record), end,
"2": keywords_html(record), 'DT_CanMakePrivate': can_make_protocol_private(protocol),
"3": modules_html(record), 'DT_CanPublish': can_publish_protocol(protocol),
"4": record.full_username_str, 'DT_CanArchive': can_archive_protocol(protocol),
"5": timestamp_column_html(record), 'DT_CanRestore': can_restore_protocol(protocol),
"6": I18n.l(record.updated_at, format: :full) 'DT_CanExport': can_export_protocol(protocol),
'1': if protocol.in_repository_archived?
sanitize_input(record.name)
else
name_html(record)
end,
'2': keywords_html(record),
'3': modules_html(record),
'4': sanitize_input(record.full_username_str),
'5': timestamp_column_html(record),
'6': I18n.l(record.updated_at, format: :full)
} }
end end
result_data result_data
@ -168,7 +179,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
def name_html(record) def name_html(record)
"<a href='#' data-action='protocol-preview'" \ "<a href='#' data-action='protocol-preview'" \
"data-url='#{preview_protocol_path(record)}'>" \ "data-url='#{preview_protocol_path(record)}'>" \
"#{record.name}" \ "#{sanitize_input(record.name)}" \
"</a>" "</a>"
end end
@ -181,7 +192,7 @@ class ProtocolsDatatable < AjaxDatatablesRails::Base
kws.sort_by{ |word| word.downcase }.each do |kw| kws.sort_by{ |word| word.downcase }.each do |kw|
res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>" res << "<a href='#' data-action='filter' data-param='#{kw}'>#{kw}</a>"
end end
res.join(", ") sanitize_input(res.join(', '))
end end
end end

30
app/datatables/sample_datatable.rb
View file

@ -3,6 +3,7 @@ require 'active_record'
class SampleDatatable < AjaxDatatablesRails::Base class SampleDatatable < AjaxDatatablesRails::Base
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
include SamplesHelper include SamplesHelper
include InputSanitizeHelper
ASSIGNED_SORT_COL = 'assigned' ASSIGNED_SORT_COL = 'assigned'
@ -105,15 +106,26 @@ class SampleDatatable < AjaxDatatablesRails::Base
sample = { sample = {
'DT_RowId': record.id, 'DT_RowId': record.id,
'1': assigned_cell(record), '1': assigned_cell(record),
'2': record.name, '2': sanitize_input(record.name),
'3': record.sample_type.nil? ? I18n.t('samples.table.no_type') : record.sample_type.name, '3': if record.sample_type.nil?
'4': record.sample_group.nil? ? I18n.t('samples.table.no_type')
"<span class='glyphicon glyphicon-asterisk'></span> " + I18n.t("samples.table.no_group") : else
"<span class='glyphicon glyphicon-asterisk' style='color: #{record.sample_group.color}'></span> " + record.sample_group.name, sanitize_input(record.sample_type.name)
"5": I18n.l(record.created_at, format: :full), end,
"6": record.user.full_name, '4': if record.sample_group.nil?
"sampleInfoUrl": Rails.application.routes.url_helpers.edit_sample_path(record.id), "<span class='glyphicon glyphicon-asterisk'></span> " +
"sampleUpdateUrl": Rails.application.routes.url_helpers.sample_path(record.id) I18n.t('samples.table.no_group')
else
"<span class='glyphicon glyphicon-asterisk' "\
"style='color: #{record.sample_group.color}'></span> " +
sanitize_input(record.sample_group.name)
end,
'5': I18n.l(record.created_at, format: :full),
'6': sanitize_input(record.user.full_name),
'sampleInfoUrl':
Rails.application.routes.url_helpers.edit_sample_path(record.id),
'sampleUpdateUrl':
Rails.application.routes.url_helpers.sample_path(record.id)
} }
# Add custom attributes # Add custom attributes