Merge pull request #2660 from okriuchykhin/ok_SCI_4707_v2

Improve user input filtering on user settings page and for task tags [SCI-4707]
2025-11-18 15:59:39 +08:00 · 2020-06-29 09:30:45 +02:00 · 2020-06-29 09:30:45 +02:00 · faa76a6442
commit faa76a6442
parent 64b66f0d73 8280d2a41e
2 changed files with 16 additions and 11 deletions
--- a/app/assets/javascripts/shared/inline_editing.js
+++ b/app/assets/javascripts/shared/inline_editing.js
@ -63,6 +63,7 @@ var inlineEditing = (function() {
    } else {
      params = { [fieldToUpdate]: inputField(container).val() };
    }
+
    $.ajax({
      url: container.data('path-to-update'),
      type: 'PUT',
@ -76,7 +77,7 @@ var inlineEditing = (function() {
          viewData = result[container.data('response-field')];
        } else {
          // By default we just copy value from input string
-          viewData = inputField(container).val();
+          viewData = $('<div>').text(inputField(container).val()).html();
        }

        container.find('.view-mode')
--- a/app/controllers/my_module_tags_controller.rb
+++ b/app/controllers/my_module_tags_controller.rb
@ -1,4 +1,6 @@
 class MyModuleTagsController < ApplicationController
+  include InputSanitizeHelper
+
  before_action :load_vars, except: :canvas_index
  before_action :check_view_permissions, only: :index
  before_action :check_manage_permissions, only: %i(create index_edit destroy)
@ -112,18 +114,20 @@ class MyModuleTagsController < ApplicationController

  def search_tags
    assigned_tags = @my_module.my_module_tags.pluck(:tag_id)
-    tags = @my_module.experiment.project.tags\
-                     .where.not(id: assigned_tags)
-                     .search(
-                       current_user,
-                       false,
-                       params[:query]
-                     ).select(:id, :name, :color).limit(6)
-    tags = tags.map { |i| { value: i.id, label: i.name, params: { color: i.color } } }
+    all_tags = @my_module.experiment.project.tags
+    tags = all_tags.where.not(id: assigned_tags)
+                   .search(current_user, false, params[:query])
+                   .select(:id, :name, :color)
+                   .limit(6)

-    if !(tags.map { |i| i[:label] }.include? params[:query]) && !params[:query].empty?
-      tags = [{ value: 0, label: params[:query], params: { color: nil } }] + tags
+    tags = tags.map do |tag|
+      { value: tag.id, label: sanitize_input(tag.name), params: { color: sanitize_input(tag.color) } }
    end
+
+    if params[:query].present? && tags.select { |tag| tag[:label] == params[:query] }.blank?
+      tags << { value: 0, label: sanitize_input(params[:query]), params: { color: nil } }
+    end
+
    render json: tags
  end