From 3961e025b3169264d31b1e08be74bf4e81e86e10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Gaya?= <sebastien.gaya@gmail.com>
Date: Mon, 23 May 2022 18:32:34 +0200
Subject: [PATCH] sanitize

---
 app/models/communication/block.rb                 |  9 +++++++--
 app/models/communication/block/template.rb        |  4 ++++
 .../block/template/call_to_action.rb              | 15 +++++++++++++++
 .../communication/block/template/chapter.rb       | 10 ++++++++++
 app/models/communication/block/template/image.rb  |  9 +++++++++
 .../blocks/templates/chapter/_edit.html.erb       |  2 +-
 .../blocks/templates/embed/_edit.html.erb         |  1 -
 7 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/app/models/communication/block.rb b/app/models/communication/block.rb
index 13591a50d..95ccf3744 100644
--- a/app/models/communication/block.rb
+++ b/app/models/communication/block.rb
@@ -50,6 +50,7 @@ class Communication::Block < ApplicationRecord
     key_figures: 56,
   }
 
+  before_validation :sanitize_data
   before_save :update_template_images
   after_commit :save_and_sync_about, on: [:update, :destroy]
 
@@ -77,11 +78,15 @@ class Communication::Block < ApplicationRecord
 
   protected
 
-  def save_and_sync_about
-    about&.save_and_sync unless about&.destroyed?
+  def sanitize_data
+    self.data = template.sanitized_data
   end
 
   def update_template_images
     self.template_images = template.active_storage_blobs
   end
+
+  def save_and_sync_about
+    about&.save_and_sync unless about&.destroyed?
+  end
 end
diff --git a/app/models/communication/block/template.rb b/app/models/communication/block/template.rb
index 66cae4fd3..90dbab361 100644
--- a/app/models/communication/block/template.rb
+++ b/app/models/communication/block/template.rb
@@ -5,6 +5,10 @@ class Communication::Block::Template
     @block = block
   end
 
+  def sanitized_data
+    data
+  end
+
   def git_dependencies
     unless @git_dependencies
       @git_dependencies = []
diff --git a/app/models/communication/block/template/call_to_action.rb b/app/models/communication/block/template/call_to_action.rb
index 57ea19c92..5f8c6fe1c 100644
--- a/app/models/communication/block/template/call_to_action.rb
+++ b/app/models/communication/block/template/call_to_action.rb
@@ -1,4 +1,19 @@
 class Communication::Block::Template::CallToAction < Communication::Block::Template
+  def sanitized_data
+    {
+      "text" => Osuny::Sanitizer.sanitize(text),
+      "url" => url,
+      "button" => Osuny::Sanitizer.sanitize(button, 'string'),
+      "url_secondary" => url_secondary,
+      "button_secondary" => Osuny::Sanitizer.sanitize(button_secondary, 'string'),
+      "url_tertiary" => url_tertiary,
+      "button_tertiary" => Osuny::Sanitizer.sanitize(button_tertiary, 'string'),
+      "image" => data['image'],
+      "image_alt" => Osuny::Sanitizer.sanitize(data['image_alt'], 'string'),
+      "image_credit" => Osuny::Sanitizer.sanitize(data['image_credit'], 'string')
+    }
+  end
+
   def build_git_dependencies
     add_dependency image&.blob
   end
diff --git a/app/models/communication/block/template/chapter.rb b/app/models/communication/block/template/chapter.rb
index 992a493a0..9628edb0c 100644
--- a/app/models/communication/block/template/chapter.rb
+++ b/app/models/communication/block/template/chapter.rb
@@ -1,4 +1,14 @@
 class Communication::Block::Template::Chapter < Communication::Block::Template
+  def sanitized_data
+    {
+      "text" => Osuny::Sanitizer.sanitize(text),
+      "notes" => Osuny::Sanitizer.sanitize(notes),
+      "image" => data['image'],
+      "image_alt" => Osuny::Sanitizer.sanitize(data['image_alt'], 'string'),
+      "image_credit" => Osuny::Sanitizer.sanitize(data['image_credit'], 'string')
+    }
+  end
+
   def build_git_dependencies
     add_dependency image&.blob
   end
diff --git a/app/models/communication/block/template/image.rb b/app/models/communication/block/template/image.rb
index a306ec700..f6968d1ee 100644
--- a/app/models/communication/block/template/image.rb
+++ b/app/models/communication/block/template/image.rb
@@ -1,4 +1,13 @@
 class Communication::Block::Template::Image < Communication::Block::Template
+  def sanitized_data
+    {
+      "text" => Osuny::Sanitizer.sanitize(text),
+      "image" => data['image'],
+      "image_alt" => Osuny::Sanitizer.sanitize(data['image_alt'], 'string'),
+      "image_credit" => Osuny::Sanitizer.sanitize(data['image_credit'], 'string')
+    }
+  end
+
   def build_git_dependencies
     add_dependency image&.blob
   end
diff --git a/app/views/admin/communication/blocks/templates/chapter/_edit.html.erb b/app/views/admin/communication/blocks/templates/chapter/_edit.html.erb
index 860e81f90..d015f65d7 100644
--- a/app/views/admin/communication/blocks/templates/chapter/_edit.html.erb
+++ b/app/views/admin/communication/blocks/templates/chapter/_edit.html.erb
@@ -63,7 +63,7 @@
             for="image_credit">
       <%= t 'admin.communication.blocks.components.image.credit.label' %>
     </label>
-    <input id="image_alt"
+    <input id="image_credit"
             type="text"
             class="form-control"
             v-model="data.image_credit"
diff --git a/app/views/admin/communication/blocks/templates/embed/_edit.html.erb b/app/views/admin/communication/blocks/templates/embed/_edit.html.erb
index 980ce3623..517a37fbe 100644
--- a/app/views/admin/communication/blocks/templates/embed/_edit.html.erb
+++ b/app/views/admin/communication/blocks/templates/embed/_edit.html.erb
@@ -9,7 +9,6 @@
               rows="10"
               class="form-control"
               v-model="data.code"
-              data-summernote-config="mini-list"
               placeholder="<%= t '.code_placeholder' %>"></textarea>
     </div>
   </div>
-- 
GitLab