Merge pull request #99 from DigitalNZ/tw/site-notice-xss

boost-tim · web-flow · commit 6cdbf9e54747 · 2025-07-08T15:12:29.000+12:00
Updated ruby version and added sanitize blocks
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.0.3
+3.1.4
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -167,6 +167,8 @@ GEM
     pry-rails (0.3.9)
       pry (>= 0.10.4)
     public_suffix (5.0.1)
+    puma (6.6.0)
+      nio4r (~> 2.0)
     racc (1.7.1)
     rack (2.2.7)
     rack-test (2.1.0)
@@ -273,6 +275,7 @@ GEM
 
 PLATFORMS
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-19
   x86_64-darwin-22
   x86_64-linux
@@ -283,6 +286,7 @@ DEPENDENCIES
   plug!
   pry-byebug
   pry-rails
+  puma
   rails-controller-testing
   rspec-rails
   rubocop
diff --git a/app/views/plug/features/index.html.haml b/app/views/plug/features/index.html.haml
@@ -30,8 +30,8 @@
       %tbody
         - @features.each do |feature|
           %tr
-            %td= link_to feature.name, edit_feature_path(feature), class: 'strong'
-            %td= feature.description
+            %td= link_to sanitize(feature.name), edit_feature_path(feature), class: 'strong'
+            %td= sanitize(feature.description)
             %td= feature.slug
             %td{ width: 150, align: 'center' }
               - if feature.state == 'enabled'
diff --git a/app/views/plug/site_notices/index.html.haml b/app/views/plug/site_notices/index.html.haml
@@ -26,8 +26,8 @@
       %tbody
         - @site_notices.each do |site_notice|
           %tr
-            %td= link_to site_notice.name, edit_site_notice_path(site_notice), class: 'strong'
-            %td= site_notice.notice.html_safe
+            %td= link_to sanitize(site_notice.name), edit_site_notice_path(site_notice), class: 'strong'
+            %td= sanitize(site_notice.notice.html_safe)
             %td= site_notice.slug
             %td{ width: 150, align: 'center' }
               - if site_notice.state == 'enabled'
diff --git a/plug.gemspec b/plug.gemspec
@@ -25,6 +25,7 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'capybara'
   s.add_development_dependency 'factory_bot_rails'
+  s.add_development_dependency 'puma'
   s.add_development_dependency 'rails-controller-testing'
   s.add_development_dependency 'rspec-rails'
   s.add_development_dependency 'selenium-webdriver'
