agenda-libre/agenda-libre-ruby
agenda-libre
/
agenda-libre-ruby
2
1
Fork 0
Code Issues Pull Requests Releases Activity

Le markdown est fait avant un sanitize, offrant plus de sécurité vis a vis des attaques xss

This commit is contained in:
echarp 2014-07-07 11:33:07 +02:00
parent 54319565d6
commit 026aa24e8f
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/views/events/show.html.haml
View File

@ -1,3 +1,7 @@
%h2
%em= @event.city + ':'
= @event.title
- if @event.persisted? && request.format == 'text/html' && controller.controller_name != 'moderations' && controller.controller_name != 'notes' && controller.action_name != 'edit' && controller.action_name != 'cancel' - if @event.persisted? && request.format == 'text/html' && controller.controller_name != 'moderations' && controller.controller_name != 'notes' && controller.action_name != 'edit' && controller.action_name != 'cancel'
#lug-list #lug-list
%h1=t '.lug-list' %h1=t '.lug-list'
@ -21,10 +25,6 @@
%em.fa.fa-thumbs-down %em.fa.fa-thumbs-down
=t '.cancel' =t '.cancel'
%h2
%em= @event.city + ':'
= @event.title
%h3=t '.dateAndPlace' %h3=t '.dateAndPlace'
%p %p
- if @event.same_day? - if @event.same_day?
@ -43,10 +43,10 @@
%h3=t '.description' %h3=t '.description'
.description .description
:markdown - markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
#{sanitize @event.description, = sanitize markdown.render(@event.description),
tags: %w(p br table tr td ul ol li a strong b em i img), tags: %w(p br table tr td ul ol li a strong b em i img),
attributes: %w(href src width height)} attributes: %w(href src width height)
%h3=t '.infos' %h3=t '.infos'
%p %p