Le markdown est fait avant un sanitize, offrant plus de sécurité vis a vis des attaques xss

This commit is contained in:
echarp 2014-07-07 11:33:07 +02:00
parent 54319565d6
commit 026aa24e8f

View File

@ -1,3 +1,7 @@
%h2
%em= @event.city + ':'
= @event.title
- if @event.persisted? && request.format == 'text/html' && controller.controller_name != 'moderations' && controller.controller_name != 'notes' && controller.action_name != 'edit' && controller.action_name != 'cancel'
#lug-list
%h1=t '.lug-list'
@ -21,10 +25,6 @@
%em.fa.fa-thumbs-down
=t '.cancel'
%h2
%em= @event.city + ':'
= @event.title
%h3=t '.dateAndPlace'
%p
- if @event.same_day?
@ -43,10 +43,10 @@
%h3=t '.description'
.description
:markdown
#{sanitize @event.description,
- markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML, autolink: true, tables: true)
= sanitize markdown.render(@event.description),
tags: %w(p br table tr td ul ol li a strong b em i img),
attributes: %w(href src width height)}
attributes: %w(href src width height)
%h3=t '.infos'
%p