Commit 8dd6af14 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Sanitize user attrs on model level

parent 7ebbb6e3
...@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" ...@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4"
# underscore-rails # underscore-rails
gem "underscore-rails", "~> 1.4.4" gem "underscore-rails", "~> 1.4.4"
# Sanitize user input
gem "sanitize"
group :assets do group :assets do
gem "sass-rails" gem "sass-rails"
gem "coffee-rails" gem "coffee-rails"
......
...@@ -608,6 +608,7 @@ DEPENDENCIES ...@@ -608,6 +608,7 @@ DEPENDENCIES
redcarpet (~> 2.2.2) redcarpet (~> 2.2.2)
redis-rails redis-rails
rspec-rails rspec-rails
sanitize
sass-rails sass-rails
sdoc sdoc
seed-fu seed-fu
......
...@@ -17,7 +17,7 @@ class ProfilesController < ApplicationController ...@@ -17,7 +17,7 @@ class ProfilesController < ApplicationController
end end
def update def update
if @user.update_attributes(user_attributes) if @user.update_attributes(params[:user])
flash[:notice] = "Profile was successfully updated" flash[:notice] = "Profile was successfully updated"
else else
flash[:alert] = "Failed to update profile" flash[:alert] = "Failed to update profile"
...@@ -69,19 +69,6 @@ class ProfilesController < ApplicationController ...@@ -69,19 +69,6 @@ class ProfilesController < ApplicationController
@user = current_user @user = current_user
end end
def user_attributes
user_attributes = params[:user]
# Sanitize user input because we dont have strict
# validation for this fields
%w(name skype linkedin twitter bio).each do |attr|
value = user_attributes[attr]
user_attributes[attr] = sanitize(strip_tags(value)) if value.present?
end
user_attributes
end
def authorize_change_password! def authorize_change_password!
return render_404 if @user.ldap_user? return render_404 if @user.ldap_user?
end end
......
...@@ -116,7 +116,10 @@ class User < ActiveRecord::Base ...@@ -116,7 +116,10 @@ class User < ActiveRecord::Base
validate :namespace_uniq, if: ->(user) { user.username_changed? } validate :namespace_uniq, if: ->(user) { user.username_changed? }
before_validation :generate_password, on: :create before_validation :generate_password, on: :create
before_validation :sanitize_attrs
before_save :ensure_authentication_token before_save :ensure_authentication_token
alias_attribute :private_token, :authentication_token alias_attribute :private_token, :authentication_token
delegate :path, to: :namespace, allow_nil: true, prefix: true delegate :path, to: :namespace, allow_nil: true, prefix: true
...@@ -371,4 +374,11 @@ class User < ActiveRecord::Base ...@@ -371,4 +374,11 @@ class User < ActiveRecord::Base
def created_by def created_by
User.find_by_id(created_by_id) if created_by_id User.find_by_id(created_by_id) if created_by_id
end end
def sanitize_attrs
%w(name username skype linkedin twitter bio).each do |attr|
value = self.send(attr)
self.send("#{attr}=", Sanitize.clean(value)) if value.present?
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment