Le markdown est fait avant un sanitize, offrant plus de sécurité vis a vis des attaques xss

2014-07-07 11:33:07 +02:00 · 2014-07-07 11:33:07 +02:00 · 026aa24e8f
commit 026aa24e8f
parent 54319565d6
1 changed files with 8 additions and 8 deletions
--- a/app/views/events/show.html.haml
+++ b/app/views/events/show.html.haml
@ -1,3 +1,7 @@
+%h2
+  %em= @event.city + ':'
+  = @event.title
+
 - if @event.persisted? && request.format == 'text/html' && controller.controller_name != 'moderations' && controller.controller_name != 'notes' && controller.action_name != 'edit' && controller.action_name != 'cancel'
  #lug-list
    %h1=t '.lug-list'
@ -21,10 +25,6 @@
          %em.fa.fa-thumbs-down
          =t '.cancel'

-%h2
-  %em= @event.city + ':'
-  = @event.title
-
 %h3=t '.dateAndPlace'
 %p
  - if @event.same_day?
@ -43,10 +43,10 @@

 %h3=t '.description'
 .description
-  :markdown
-    #{sanitize @event.description,
-      tags: %w(p br table tr td ul ol li a strong b em i img),
-      attributes: %w(href src width height)}
+  - markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
+  = sanitize markdown.render(@event.description),
+    tags: %w(p br table tr td ul ol li a strong b em i img),
+    attributes: %w(href src width height)

 %h3=t '.infos'
 %p