From a04f05eeb3edef001bf193f6aaa3394232e67c76 Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Tue, 24 Jan 2017 13:06:39 +0100
Subject: [PATCH] Add sanitization to sample groups/types [SCI-902]

---
 app/controllers/samples_controller.rb | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/app/controllers/samples_controller.rb b/app/controllers/samples_controller.rb
index 27e778101..23cfdcf0a 100644
--- a/app/controllers/samples_controller.rb
+++ b/app/controllers/samples_controller.rb
@@ -11,12 +11,18 @@ class SamplesController < ApplicationController
     respond_to do |format|
       format.html
       if can_create_samples(@organization)
-      format.json {
-        render json: {
-          sample_groups: @organization.sample_groups.as_json(only: [:id, :name, :color]),
-          sample_types: @organization.sample_types.as_json(only: [:id, :name])
-        }
-      }
+        groups = @organization.sample_groups.map do |g|
+          { id: g.id, name: sanitize_input(g.name), color: g.color }
+        end
+        types = @organization.sample_types.map do |t|
+          { id: t.id, name: sanitize_input(t.name) }
+        end
+        format.json do
+          render json: {
+            sample_groups: groups.as_json,
+            sample_types: types.as_json
+          }
+        end
       else
         format.json { render json: {}, status: :unauthorized }
       end