Remove and legacy ActionText parts, include Sanitizable pretty much everywhere and custom sanitize

app/models/communication/block.rb

@@ -24,6 +24,7 @@
 #  fk_rails_18291ef65f  (university_id => universities.id)
 #
 class Communication::Block < ApplicationRecord
+  include Sanitizable
   include WithUniversity
   include WithPosition
   include Accessible

app/models/communication/extranet.rb

@@ -35,6 +35,7 @@
 class Communication::Extranet < ApplicationRecord
   self.filter_attributes += [:sso_cert]
 
+  # We don't include Sanitizable because too many complex attributes. We handle it below.
   include WithAbouts
   include WithLegal
   include WithSso
@@ -49,6 +50,8 @@ class Communication::Extranet < ApplicationRecord
   validates :logo, size: { less_than: 1.megabytes }
   validates :favicon, size: { less_than: 1.megabytes }
 
+  before_validation :sanitize_fields
+
   scope :ordered, -> { order(:name) }
   scope :for_search_term, -> (term) {
     where("
@@ -100,4 +103,16 @@ class Communication::Extranet < ApplicationRecord
   def to_s
     "#{name}"
   end
+
+  private
+
+  def sanitize_fields
+    self.color = Osuny::Sanitizer.sanitize(self.color, 'string')
+    self.cookies_policy = Osuny::Sanitizer.sanitize(self.cookies_policy, 'text')
+    self.host = Osuny::Sanitizer.sanitize(self.host, 'string')
+    self.name = Osuny::Sanitizer.sanitize(self.name, 'string')
+    self.privacy_policy = Osuny::Sanitizer.sanitize(self.privacy_policy, 'text')
+    self.registration_contact = Osuny::Sanitizer.sanitize(self.registration_contact, 'string')
+    self.terms = Osuny::Sanitizer.sanitize(self.terms, 'text')
+  end
 end

app/models/communication/website.rb

@@ -64,6 +64,8 @@ class Communication::Website < ApplicationRecord
   validates :languages, length: { minimum: 1 }
   validate :languages_must_include_default_language
 
+  before_validation :sanitize_fields
+
   scope :ordered, -> { order(:name) }
   scope :in_production, -> { where(in_production: true) }
   scope :for_theme_version, -> (version) { where(theme_version: version) }
@@ -107,6 +109,15 @@ class Communication::Website < ApplicationRecord
 
   protected
 
+  def sanitize_fields
+    self.git_branch = Osuny::Sanitizer.sanitize(self.git_branch, 'string')
+    self.git_endpoint = Osuny::Sanitizer.sanitize(self.git_endpoint, 'string')
+    self.name = Osuny::Sanitizer.sanitize(self.name, 'string')
+    self.plausible_url = Osuny::Sanitizer.sanitize(self.plausible_url, 'string')
+    self.repository = Osuny::Sanitizer.sanitize(self.repository, 'string')
+    self.url = Osuny::Sanitizer.sanitize(self.url, 'string')
+  end
+
   def languages_must_include_default_language
     errors.add(:languages, :must_include_default) unless language_ids.include?(default_language_id)
   end

app/models/communication/website/git_file.rb

@@ -21,6 +21,8 @@
 #  fk_rails_8505d649e8  (website_id => communication_websites.id)
 #
 class Communication::Website::GitFile < ApplicationRecord
+  # We don't include Sanitizable as this model is never handled by users directly.
+
   belongs_to :website, class_name: 'Communication::Website'
   belongs_to :about, polymorphic: true
 

app/models/communication/website/permalink.rb

@@ -40,6 +40,7 @@ class Communication::Website::Permalink < ApplicationRecord
     "University::Person::Teacher" => Communication::Website::Permalink::Teacher
   }
 
+  # We don't include Sanitizable as this model is never handled by users directly.
   include WithUniversity
 
   belongs_to :university

app/models/concerns/sanitizable.rb

@@ -11,6 +11,9 @@ module Sanitizable
                                                       .select { |attr_name, attr_type|
                                                         [:string, :text].include?(attr_type) && public_send(attr_name).present?
                                                       }
+                                                      .reject { |attr_name, _|
+                                                        attr_name.ends_with?('_type') # Reject polymorphic type
+                                                      }
 
       attributes_to_sanitize.each do |attr_name, attr_type|
         public_send "#{attr_name}=", Osuny::Sanitizer.sanitize(public_send(attr_name), attr_type)

app/models/education/cohort.rb

@@ -26,6 +26,7 @@
 #  fk_rails_c2d725cabd  (academic_year_id => education_academic_years.id)
 #
 class Education::Cohort < ApplicationRecord
+  include Sanitizable
   include WithUniversity
 
   belongs_to  :school,

app/models/education/diploma.rb

@@ -23,6 +23,7 @@
 #  fk_rails_6cb2e9fa90  (university_id => universities.id)
 #
 class Education::Diploma < ApplicationRecord
+  include Sanitizable
   include WithBlocks
   include WithGit
   include WithPermalink

app/models/education/school.rb

@@ -24,6 +24,7 @@
 #  fk_rails_e01b37a3ad  (university_id => universities.id)
 #
 class Education::School < ApplicationRecord
+  include Sanitizable
   include WithGit
   include Aboutable
   include WithPrograms # must come before WithAlumni and WithTeam

app/models/language.rb

@@ -10,6 +10,7 @@
 #  updated_at        :datetime         not null
 #
 class Language < ApplicationRecord
+  include Sanitizable
 
   has_many :users
   has_and_belongs_to_many :communication_websites,

app/models/research/hal/author.rb

@@ -17,6 +17,8 @@
 #  index_research_hal_authors_on_docid  (docid)
 #
 class Research::Hal::Author < ApplicationRecord
+  include Sanitizable
+
   has_and_belongs_to_many :publications,
                           foreign_key: 'research_hal_publication_id',
                           association_foreign_key: 'research_hal_author_id'
@@ -76,7 +78,7 @@ class Research::Hal::Author < ApplicationRecord
     researchers << researcher
     researcher.import_research_hal_publications!
   end
-  
+
   def disconnect_researcher(researcher)
     researchers.delete researcher
     researcher.import_research_hal_publications!

app/models/research/hal/publication.rb

@@ -20,9 +20,10 @@
 #  index_research_hal_publications_on_docid  (docid)
 #
 class Research::Hal::Publication < ApplicationRecord
+  include Sanitizable
   include WithGit
   include WithSlug
-  
+
   DOI_PREFIX = 'http://dx.doi.org/'.freeze
 
   has_and_belongs_to_many :researchers,

app/models/research/journal.rb

@@ -20,6 +20,7 @@
 #  fk_rails_96097d5f10  (university_id => universities.id)
 #
 class Research::Journal < ApplicationRecord
+  include Sanitizable
   include Aboutable
   include WithUniversity
   include WithGit

app/models/research/journal/paper/kind.rb

@@ -21,6 +21,7 @@
 #  fk_rails_8e6f992b9d  (university_id => universities.id)
 #
 class Research::Journal::Paper::Kind < ApplicationRecord
+  include Sanitizable
   include WithUniversity
   include WithGit
   include WithSlug

app/models/research/laboratory.rb

@@ -21,6 +21,7 @@
 #  fk_rails_f61d27545f  (university_id => universities.id)
 #
 class Research::Laboratory < ApplicationRecord
+  include Sanitizable
   include WithGit
   include Aboutable
 

app/models/university.rb

@@ -38,6 +38,7 @@
 class University < ApplicationRecord
   self.filter_attributes += [:sso_cert]
 
+  # We don't include Sanitizable because too many complex attributes. We handle it below.
   include WithPeopleAndOrganizations
   include WithCommunication
   include WithEducation
@@ -59,6 +60,7 @@ class University < ApplicationRecord
   validates :sms_sender_name, presence: true, length: { maximum: 11 }
   validates :logo, size: { less_than: 1.megabytes }
 
+  before_validation :sanitize_fields
   after_destroy :destroy_remaining_blobs
 
   scope :ordered, -> { order(:name) }
@@ -88,6 +90,20 @@ class University < ApplicationRecord
 
   private
 
+  def sanitize_fields
+    self.address = Osuny::Sanitizer.sanitize(self.address, 'string')
+    self.city = Osuny::Sanitizer.sanitize(self.city, 'string')
+    self.country = Osuny::Sanitizer.sanitize(self.country, 'string')
+    self.identifier = Osuny::Sanitizer.sanitize(self.identifier, 'string')
+    self.invoice_amount = Osuny::Sanitizer.sanitize(self.invoice_amount, 'string')
+    self.mail_from_address = Osuny::Sanitizer.sanitize(self.mail_from_address, 'string')
+    self.mail_from_name = Osuny::Sanitizer.sanitize(self.mail_from_name, 'string')
+    self.name = Osuny::Sanitizer.sanitize(self.name, 'string')
+    self.sms_sender_name = Osuny::Sanitizer.sanitize(self.sms_sender_name, 'string')
+    self.sso_button_label = Osuny::Sanitizer.sanitize(self.sso_button_label, 'string')
+    self.zipcode = Osuny::Sanitizer.sanitize(self.zipcode, 'string')
+  end
+
   def destroy_remaining_blobs
     active_storage_blobs.delete_all
   end

app/models/university/person/experience.rb

@@ -25,6 +25,7 @@
 #  fk_rails_923d0b71fd  (university_id => universities.id)
 #
 class University::Person::Experience < ApplicationRecord
+  include Sanitizable
   include WithUniversity
 
   attr_accessor :organization_name

app/models/university/person/involvement.rb

@@ -25,6 +25,7 @@
 #  fk_rails_5c704f6338  (university_id => universities.id)
 #
 class University::Person::Involvement < ApplicationRecord
+  include Sanitizable
   include WithUniversity
   include WithPosition
 

app/models/university/role.rb

@@ -21,6 +21,7 @@
 #  fk_rails_8e52293a38  (university_id => universities.id)
 #
 class University::Role < ApplicationRecord
+  include Sanitizable
   include WithUniversity
   include WithPosition
 

app/models/user.rb

@@ -56,6 +56,8 @@
 #  fk_rails_bd6f7212a9  (university_id => universities.id)
 #
 class User < ApplicationRecord
+  # We don't include Sanitizable because too many complex attributes.
+  # The sanitization is handled in User::WithAuthentication's sanitize_fields method.
   include WithAdminTheme
   include WithAvatar
   include WithRegistrationContext