seth
/
jam-cloud
mirror of https://bitbucket.org/jamkazam/jam-cloud.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

* VRFS-2064 - stop cycle in network test; VRFS-2062 - don't store HTML in user-inputs

This commit is contained in:
Seth Call 2014-08-18 20:41:44 -05:00
parent 5ae975c097
commit 27f4adf772
22 changed files with 138 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ruby/Gemfile
View File

@ -47,6 +47,7 @@ gem 'fog'
gem 'rest-client'
gem 'iso-639'
gem 'rubyzip'
gem 'sanitize'
group :test do
gem 'simplecov', '~> 0.7.1'

1
ruby/lib/jam_ruby.rb
View File

@ -36,6 +36,7 @@ require "jam_ruby/lib/profanity"
require "jam_ruby/lib/json_validator"
require "jam_ruby/lib/em_helper"
require "jam_ruby/lib/nav"
require "jam_ruby/lib/html_sanitize"
require "jam_ruby/resque/audiomixer"
require "jam_ruby/resque/icecast_config_writer"
require "jam_ruby/resque/resque_hooks"

55
ruby/lib/jam_ruby/lib/html_sanitize.rb Normal file
View File

@ -0,0 +1,55 @@
require 'sanitize'
module JamRuby
module HtmlSanitize
SAFE = ['a', 'strong', 'em', 'i', 'ul', 'ol', 'li', 'p', 'b']
extend ActiveSupport::Concern
included do
class_attribute :html_sanitize_options
self.sanitize
end
def sanitize_fields
return if self.html_sanitize_options.nil?
# strict means use Sanitize's strictest settings, which removes all tags
strict_fields = html_sanitize_options[:strict] || []
strict_fields.each do |field|
value = self[field]
next if value.nil? || !value.is_a?(String)
self[field] = Sanitize.fragment(value)
end
# safe means to allow formatting tags only
safe_fields = html_sanitize_options[:safe] || []
safe_fields.each do |field|
value = self[field]
next if value.nil? || !value.is_a?(String)
self[field] = Sanitize.fragment(value, elements: SAFE)
end
end
module ClassMethods
def html_sanitize(options = {strict: []})
self.html_sanitize_options = options
end
def sanitize (options = {})
before_validation :sanitize_fields
end
end
end
end

4
ruby/lib/jam_ruby/models/band.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class Band < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:biography, :website, :name]
attr_accessible :name, :website, :biography, :city, :state,
:country, :original_fpfile_photo, :cropped_fpfile_photo, :cropped_large_fpfile_photo,
@ -11,7 +13,7 @@ module JamRuby
before_save :stringify_photo_info , :if => :updating_photo
validates :biography, no_profanity: true, presence:true, length: {maximum: 4000}
validates :name, presence: true
validates :name, presence: true, no_profanity: true
validates :country, presence: true, :unless => :skip_location_validation
validates :state, presence: true, :unless => :skip_location_validation
validates :city, presence: true, :unless => :skip_location_validation

2
ruby/lib/jam_ruby/models/chat_message.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class ChatMessage < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:message]
self.table_name = 'chat_messages'
self.primary_key = 'id'

2
ruby/lib/jam_ruby/models/claimed_recording.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class ClaimedRecording < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:name, :description]
attr_accessible :name, :description, :is_public, :genre_id, :recording_id, :user_id, as: :admin

1
ruby/lib/jam_ruby/models/connection.rb
View File

@ -3,6 +3,7 @@ require 'aasm'
module JamRuby
class Connection < ActiveRecord::Base
include HtmlSanitize
# client_types
TYPE_CLIENT = 'client'
TYPE_BROWSER = 'browser'

2
ruby/lib/jam_ruby/models/friend_request.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class FriendRequest < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:message]
self.primary_key = 'id'

2
ruby/lib/jam_ruby/models/invited_user.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class InvitedUser < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:note]
VALID_EMAIL_REGEX = /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i

2
ruby/lib/jam_ruby/models/join_request.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class JoinRequest < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:text]
REQUESTOR_MUST_BE_A_MUSICIAN = "requestor must be a musician"

2
ruby/lib/jam_ruby/models/music_session.rb
View File

@ -2,6 +2,8 @@ require 'iso-639'
module JamRuby
class MusicSession < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:name, :description]
@@log = Logging.logger[MusicSession]

3
ruby/lib/jam_ruby/models/music_session_comment.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class MusicSessionComment < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:comment]
self.table_name = "music_sessions_comments"
@ -15,5 +17,6 @@ module JamRuby
:class_name => "JamRuby::User",
:foreign_key => "creator_id")
validates :comment, length: {maximum: 1000}, no_profanity: true
end
end

3
ruby/lib/jam_ruby/models/recording_comment.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class RecordingComment < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:comment]
self.table_name = "recordings_comments"
@ -10,5 +12,6 @@ module JamRuby
belongs_to :recording, :class_name => "JamRuby::Recording", :foreign_key => "recording_id"
belongs_to :user, :class_name => "JamRuby::User", :foreign_key => "creator_id"
validates :comment, length: {maximum: 1000}, no_profanity: true
end
end

4
ruby/lib/jam_ruby/models/session_info_comment.rb
View File

@ -1,5 +1,7 @@
module JamRuby
class SessionInfoComment < ActiveRecord::Base
include HtmlSanitize
html_sanitize strict: [:comment]
self.table_name = "session_info_comments"
@ -10,7 +12,7 @@ module JamRuby
belongs_to(:music_session, :class_name => "JamRuby::MusicSession", :foreign_key => "music_session_id")
belongs_to(:user, :class_name => "JamRuby::User", :foreign_key => "creator_id")
# validates :comment, length: {maximum: 1000}, no_profanity: true
validates :comment, length: {maximum: 1000}, no_profanity: true
end
end

5
ruby/lib/jam_ruby/models/user.rb
View File

@ -3,6 +3,10 @@ include Devise::Models
module JamRuby
class User < ActiveRecord::Base
include Geokit::ActsAsMappable::Glue unless defined?(acts_as_mappable)
include HtmlSanitize
html_sanitize strict: [:first_name, :last_name, :city, :state, :country, :biography]
#devise: for later: :trackable
@@log = Logging.logger[User]
@ -17,7 +21,6 @@ module JamRuby
devise :database_authenticatable, :recoverable, :rememberable
include Geokit::ActsAsMappable::Glue unless defined?(acts_as_mappable)
acts_as_mappable
# after_save :check_lat_lng

10
ruby/spec/jam_ruby/models/music_session_spec.rb
View File

@ -828,5 +828,15 @@ describe MusicSession do
end
end
describe "html_sanitize" do
it "sanitizes" do
music_session1.name = '<b>dog</b>'
music_session1.description = '<html>cat</html>'
music_session1.save!
music_session1.name.should == 'dog'
music_session1.description.should == 'cat'
end
end
end

19
ruby/spec/jam_ruby/models/user_spec.rb
View File

@ -493,6 +493,25 @@ describe User do
end
end
describe "html_sanitize" do
it "sanitizes" do
@user.first_name = '<b>first_name</b>'
@user.last_name = '<i>last_name</i>'
@user.biography = '<i>biography</b>'
@user.country = '<a href="dog">country</a>'
@user.state = '<table>state</table>'
@user.city = '<barf>city</larf>'
@user.save!
@user.first_name.should == 'first_name'
@user.last_name.should == 'last_name'
@user.biography.should == 'biography'
@user.country.should == 'country'
@user.state.should == 'state'
@user.city.should == 'city'
end
end
describe "update_locidispids" do
before(:each) do

2
web/Gemfile
View File

@ -1,5 +1,4 @@
source 'http://rubygems.org'
unless ENV["LOCAL_DEV"] == "1"
source 'https://jamjam:blueberryjam@int.jamkazam.com/gems/'
end
@ -79,6 +78,7 @@ gem 'language_list'
gem 'rubyzip'
gem 'slim'
gem 'htmlentities'
gem 'sanitize'
group :development, :test do
gem 'rspec-rails', '2.14.2'

17
web/app/assets/javascripts/networkTestHelper.js
View File

@ -297,6 +297,17 @@
return testSummary.attempts.length == 0 || testSummary.attempts.length == 1;
}
function hasGoneDown() {
var goneDown = false;
context._.each(testSummary.attempts, function(attempt) {
if(attempt.num_clients == STARTING_NUM_CLIENTS - 1) {
goneDown = true
return false;
}
});
return goneDown;
}
// is this a retry attempt? If so, how many times now has it been.
// 0 = this is the 1st attempt
// > 0 indicates the number of retries.
@ -577,6 +588,12 @@
attempt.reason = "success";
testFinished();
}
else if(hasGoneDown()) {
// this means we've gone up before... so don't go back down (i.e., creating a loop)
attempt.reason = "success";
testSummary.final = { reason: 'success', num_clients: numClientsToTest }
testFinished();
}
else {
numClientsToTest++;
logger.debug("increasing number of clients to " + numClientsToTest);

3
web/app/controllers/api_users_controller.rb
View File

@ -1,3 +1,4 @@
require 'sanitize'
class ApiUsersController < ApiController
before_filter :api_signed_in_user, :except => [:create, :show, :signup_confirm, :auth_session_create, :complete, :finalize_update_email, :isp_scoring, :add_play]
@ -338,7 +339,7 @@ class ApiUsersController < ApiController
end
def notification_create
@notification = Notification.send_text_message(params[:message], current_user, User.find_by_id(params[:receiver]))
@notification = Notification.send_text_message(Sanitize.fragment(params[:message], elements: HtmlSanitize::SAFE), current_user, User.find_by_id(params[:receiver]))
respond_with_model(@notification, new: true)
end

4
web/spec/features/bands_spec.rb
View File

@ -120,8 +120,8 @@ describe "Bands", :js => true, :type => :feature, :capybara_feature => true do
band_website = garbage(2000)
complete_band_setup_form(band_name, band_bio, 'band-website' => band_website)
expect(page).to have_selector('#band-profile-name', text: band_name)
expect(page).to have_selector('#band-profile-biography', text: band_bio)
expect(page).to have_selector('#band-profile-name', text: Sanitize.fragment(band_name))
expect(page).to have_selector('#band-profile-biography', text: Sanitize.fragment(band_bio))
end
it "another user receives invite notification during Band Setup"

1
websocket-gateway/Gemfile
View File

@ -51,6 +51,7 @@ gem 'netaddr'
gem 'iso-639'
gem 'language_list'
gem 'rubyzip'
gem 'sanitize'
group :development do
gem 'pry'