HTML tags in the document description breaks UI #566

2016-08-23 09:32:47 +02:00 · 2016-08-23 09:32:47 +02:00 · b03a69e87c
commit b03a69e87c
parent fc6a4fc81e
2 changed files with 4 additions and 3 deletions
--- a/app/models/dmsf_file_revision.rb
+++ b/app/models/dmsf_file_revision.rb
@ -22,6 +22,7 @@
 require 'digest/md5'

 class DmsfFileRevision < ActiveRecord::Base
+
  unloadable
  belongs_to :dmsf_file
  belongs_to :source_revision, :class_name => 'DmsfFileRevision', :foreign_key => 'source_dmsf_file_revision_id'
@ -288,10 +289,10 @@ class DmsfFileRevision < ActiveRecord::Base
    text = ''
    text = self.description if self.description.present?
    if self.comment.present?
-      text += '&#xA;' if text.present?
+      text += ' / ' if text.present?
      text += self.comment
    end
-    text.html_safe
+    ActionView::Base.full_sanitizer.sanitize(text)
  end

 end
--- a/app/views/dmsf/_file.html.erb
+++ b/app/views/dmsf/_file.html.erb
@ -33,7 +33,7 @@
    file_view_url,
    :target => '_blank',
    :class => "icon icon-file #{DmsfHelper.filetype_css(file.name)}",
-    :title => file.last_revision.try(:tooltip),
+    :title => h(file.last_revision.try(:tooltip)),
    'data-downloadurl' => "#{file.last_revision.detect_content_type}:#{h(file.name)}:#{file_view_url}") %>
  <div class="dmsf_filename" title="<%= l(:title_filename_for_download)%>"><%= h(link ? link.path : file.display_name) %></div>
  <%= '</span>'.html_safe if @tree_view %>