seth
/
jam-cloud
mirror of https://bitbucket.org/jamkazam/jam-cloud.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

VRFS-1971 escape HTML before saving / unescape before rendering

This commit is contained in:
Brian Smith 2014-08-07 00:50:10 -04:00
parent 199ef029bc
commit d40b29a947
7 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
web/Gemfile
View File

@ -77,6 +77,7 @@ gem 'rest_client'
gem 'iso-639'
gem 'language_list'
gem 'rubyzip'
gem 'htmlentities'
group :development, :test do
gem 'rspec-rails', '2.14.2'

2
web/app/assets/javascripts/dialog/commentDialog.js
View File

@ -71,7 +71,7 @@
user_id: userId,
hoverAction: musician ? "musician" : "fan",
name: userName,
comment: comment,
comment: context._.unescape(comment),
timeago: timeago
};

2
web/app/assets/javascripts/web/session_info.js
View File

@ -39,7 +39,7 @@
user_id: userId,
hoverAction: "musician",
name: userName,
comment: comment,
comment: context._.unescape(comment),
timeago: timeago
});

2
web/app/assets/javascripts/web/sessions.js
View File

@ -39,7 +39,7 @@
user_id: userId,
hoverAction: musician ? "musician" : "fan",
name: userName,
comment: comment,
comment: context._.unescape(comment),
timeago: timeago
});

1
web/app/controllers/api_controller.rb
View File

@ -1,6 +1,7 @@
class ApiController < ApplicationController
@@log = Logging.logger[ApiController]
@@html_encoder = HTMLEntities.new
# define common error handlers
rescue_from 'JamRuby::StateError' do |exception|

4
web/app/controllers/api_music_sessions_controller.rb
View File

@ -469,7 +469,7 @@ class ApiMusicSessionsController < ApiController
comment = MusicSessionComment.new
comment.music_session_id = params[:id]
comment.creator_id = params[:user_id]
comment.comment = params[:comment]
comment.comment = @@html_encoder.encode(params[:comment])
comment.ip_address = request.remote_ip
comment.save
@ -496,7 +496,7 @@ class ApiMusicSessionsController < ApiController
comment = SessionInfoComment.new
comment.music_session_id = params[:id]
comment.creator_id = current_user.id
comment.comment = params[:comment]
comment.comment = @@html_encoder.encode(params[:comment])
comment.save
if comment.errors.any?

2
web/app/controllers/api_recordings_controller.rb
View File

@ -108,7 +108,7 @@ class ApiRecordingsController < ApiController
comment = RecordingComment.new
comment.recording_id = params[:id]
comment.creator_id = params[:user_id]
comment.comment = params[:comment]
comment.comment = @@html_encoder.encode(params[:comment])
comment.ip_address = request.remote_ip
comment.save