scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-01-01 13:13:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix XSS vulnerability in protocol keywords [SCI-632]

Browse source
This commit is contained in:
Oleksii Kriuchykhin 2016-12-29 15:15:29 +01:00
parent 4b50c73474
commit d798f1b120
2 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/protocols_controller.rb
View file

@ -159,6 +159,10 @@ class ProtocolsController < ApplicationController
def update_keywords def update_keywords
respond_to do |format| respond_to do |format|
# sanitize user input
params[:keywords].collect! do |keyword|
ActionController::Base.helpers.sanitize(keyword)
end
if @protocol.update_keywords(params[:keywords]) if @protocol.update_keywords(params[:keywords])
format.json { format.json {
render json: { render json: {

4
app/views/protocols/header/_keywords_label.html.erb
View file

@ -1,5 +1,5 @@
<% if @protocol.protocol_keywords.count > 0 %> <% if @protocol.protocol_keywords.count > 0 %>
<%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{kw.name}</strong>" }.join(", ").html_safe %> <%= @protocol.protocol_keywords.collect{ |kw| "<strong>#{sanitize(kw.name)}</strong>" }.join(", ").html_safe %>
<% else %> <% else %>
<em><%= t("protocols.no_keywords") %></em> <em><%= t("protocols.no_keywords") %></em>
<% end %> <% end %>