BigW Consortium Gitlab

Commit 223d2640 by Dmitriy Zaporozhets

Sanitize user attrs on model level

parent 3dcc4419
......@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4"
# underscore-rails
gem "underscore-rails", "~> 1.4.4"
# Sanitize user input
gem "sanitize"
group :assets do
gem "sass-rails"
gem "coffee-rails"
......
......@@ -610,6 +610,7 @@ DEPENDENCIES
redcarpet (~> 2.2.2)
redis-rails
rspec-rails
sanitize
sass-rails
sdoc
seed-fu
......
......@@ -17,7 +17,7 @@ class ProfilesController < ApplicationController
end
def update
if @user.update_attributes(user_attributes)
if @user.update_attributes(params[:user])
flash[:notice] = "Profile was successfully updated"
else
flash[:alert] = "Failed to update profile"
......@@ -69,19 +69,6 @@ class ProfilesController < ApplicationController
@user = current_user
end
def user_attributes
user_attributes = params[:user]
# Sanitize user input because we dont have strict
# validation for this fields
%w(name skype linkedin twitter bio).each do |attr|
value = user_attributes[attr]
user_attributes[attr] = sanitize(strip_tags(value)) if value.present?
end
user_attributes
end
def authorize_change_password!
return render_404 if @user.ldap_user?
end
......
......@@ -114,7 +114,10 @@ class User < ActiveRecord::Base
validate :namespace_uniq, if: ->(user) { user.username_changed? }
before_validation :generate_password, on: :create
before_validation :sanitize_attrs
before_save :ensure_authentication_token
alias_attribute :private_token, :authentication_token
delegate :path, to: :namespace, allow_nil: true, prefix: true
......@@ -356,4 +359,11 @@ class User < ActiveRecord::Base
def created_by
User.find_by_id(created_by_id) if created_by_id
end
def sanitize_attrs
%w(name username skype linkedin twitter bio).each do |attr|
value = self.send(attr)
self.send("#{attr}=", Sanitize.clean(value)) if value.present?
end
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment