DEV: Sanitize HTML admin inputs (#14681)

* DEV: Sanitize HTML admin inputs This PR adds on-save HTML sanitization for: Client site settings translation overrides badges descriptions user fields descriptions I used Rails's SafeListSanitizer, which [accepts the following HTML tags and attributes](018cf54073/lib/rails/html/sanitizer.rb (L108)) * Make sure that the sanitization logic doesn't corrupt settings with special characters
2025-06-06 03:06:53 +08:00 · 2021-10-27 11:33:07 -03:00
parent 184ccf4490
commit df3eb93973
10 changed files with 104 additions and 10 deletions
--- a/spec/models/site_setting_spec.rb
+++ b/spec/models/site_setting_spec.rb
@ -204,4 +204,22 @@ describe SiteSetting do
      expect(SiteSetting.blocked_attachment_filenames_regex).to eq(/foo|bar/)
    end
  end
+
+  it 'sanitizes the client settings when they are overridden' do
+    xss = "<b onmouseover=alert('Wufff!')>click me!</b><script>alert('TEST');</script>"
+
+    SiteSetting.global_notice = xss
+
+    expect(SiteSetting.global_notice).to eq("<b>click me!</b>alert('TEST');")
+  end
+
+  it "doesn't corrupt site settings with special characters" do
+    value = 'OX5y3Oljb+Qt9Bu809vsBQ==<>!%{}*&!@#$%..._-A'
+    settings = new_settings(SiteSettings::LocalProcessProvider.new)
+    settings.setting(:test_setting, '', client: true)
+
+    settings.test_setting = value
+
+    expect(settings.test_setting).to eq(value)
+  end
 end