From 49fdccbb1d5385cf7534d44b351b4ba0095876ab Mon Sep 17 00:00:00 2001 From: Renato Atilio Date: Fri, 14 Jun 2024 11:39:43 -0300 Subject: [PATCH] FIX: restrict a href protocols on form template description (#27472) --- lib/validators/form_template_yaml_validator.rb | 12 +++++++++++- .../form_template_yaml_validator_spec.rb | 17 +++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/validators/form_template_yaml_validator.rb b/lib/validators/form_template_yaml_validator.rb index 6d8e769a30f..15a1c127624 100644 --- a/lib/validators/form_template_yaml_validator.rb +++ b/lib/validators/form_template_yaml_validator.rb @@ -3,7 +3,17 @@ class FormTemplateYamlValidator < ActiveModel::Validator RESERVED_KEYWORDS = %w[title body category category_id tags] ALLOWED_TYPES = %w[checkbox dropdown input multi-select textarea upload] - HTML_SANITIZATION_OPTIONS = { elements: ["a"], attributes: { "a" => %w[href target] } } + HTML_SANITIZATION_OPTIONS = { + elements: ["a"], + attributes: { + "a" => %w[href target], + }, + protocols: { + "a" => { + "href" => %w[http https mailto], + }, + }, + } def validate(record) begin diff --git a/spec/lib/validators/form_template_yaml_validator_spec.rb b/spec/lib/validators/form_template_yaml_validator_spec.rb index b253fc3fb3d..af368eb8841 100644 --- a/spec/lib/validators/form_template_yaml_validator_spec.rb +++ b/spec/lib/validators/form_template_yaml_validator_spec.rb @@ -136,6 +136,23 @@ RSpec.describe FormTemplateYamlValidator, type: :validator do ) end end + + context "when description field has unsafe anchor href" do + let(:yaml_content) { <<~YAML } + - type: input + id: name + attributes: + label: "Full name" + description: "What is your full name? Details here." + YAML + + it "adds a validation error" do + validator.validate(form_template) + expect(form_template.errors[:template]).to include( + I18n.t("form_templates.errors.unsafe_description"), + ) + end + end end describe "#check_ids" do