diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-07-10 13:48:03 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2013-07-10 13:48:03 +0300 |
commit | 223d26405128a64f624b78e7d4b03565d1e85a69 (patch) | |
tree | 860d35293e1c6dec0146bcbd066dfb7a1a263d49 | |
parent | 3dcc441916e3d51ea29e292d7446ac9a1a4787cb (diff) | |
download | gitlab-ce-223d26405128a64f624b78e7d4b03565d1e85a69.tar.gz |
Sanitize user attrs on model level
-rw-r--r-- | Gemfile | 3 | ||||
-rw-r--r-- | Gemfile.lock | 1 | ||||
-rw-r--r-- | app/controllers/profiles_controller.rb | 15 | ||||
-rw-r--r-- | app/models/user.rb | 10 |
4 files changed, 15 insertions, 14 deletions
@@ -118,6 +118,9 @@ gem "d3_rails", "~> 3.1.4" # underscore-rails gem "underscore-rails", "~> 1.4.4" +# Sanitize user input +gem "sanitize" + group :assets do gem "sass-rails" gem "coffee-rails" diff --git a/Gemfile.lock b/Gemfile.lock index 4866f9585d1..5d13837b61f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -610,6 +610,7 @@ DEPENDENCIES redcarpet (~> 2.2.2) redis-rails rspec-rails + sanitize sass-rails sdoc seed-fu diff --git a/app/controllers/profiles_controller.rb b/app/controllers/profiles_controller.rb index 686edd8af80..6fa635d0e36 100644 --- a/app/controllers/profiles_controller.rb +++ b/app/controllers/profiles_controller.rb @@ -17,7 +17,7 @@ class ProfilesController < ApplicationController end def update - if @user.update_attributes(user_attributes) + if @user.update_attributes(params[:user]) flash[:notice] = "Profile was successfully updated" else flash[:alert] = "Failed to update profile" @@ -69,19 +69,6 @@ class ProfilesController < ApplicationController @user = current_user end - def user_attributes - user_attributes = params[:user] - - # Sanitize user input because we dont have strict - # validation for this fields - %w(name skype linkedin twitter bio).each do |attr| - value = user_attributes[attr] - user_attributes[attr] = sanitize(strip_tags(value)) if value.present? - end - - user_attributes - end - def authorize_change_password! return render_404 if @user.ldap_user? end diff --git a/app/models/user.rb b/app/models/user.rb index 443ad565219..193349c95fc 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -114,7 +114,10 @@ class User < ActiveRecord::Base validate :namespace_uniq, if: ->(user) { user.username_changed? } before_validation :generate_password, on: :create + before_validation :sanitize_attrs + before_save :ensure_authentication_token + alias_attribute :private_token, :authentication_token delegate :path, to: :namespace, allow_nil: true, prefix: true @@ -356,4 +359,11 @@ class User < ActiveRecord::Base def created_by User.find_by_id(created_by_id) if created_by_id end + + def sanitize_attrs + %w(name username skype linkedin twitter bio).each do |attr| + value = self.send(attr) + self.send("#{attr}=", Sanitize.clean(value)) if value.present? + end + end end |