FIX xss bug

2019-11-13 16:43:34 +08:00 · 2019-11-13 16:43:34 +08:00 · 6c1a74240b
parent d501415da4
commit 6c1a74240b
2 changed files with 3 additions and 3 deletions
--- a/app/views/projects/show.html.erb
+++ b/app/views/projects/show.html.erb
@ -5,7 +5,7 @@
  <% if @project.description.blank? %>
      <p style="padding-top:5px;font-size:20px;font-weight:bold;"><%= @project.name %></p>
  <% else %>
-      <p style="padding-top:5px"><%= h @project.description.html_safe %></p>
+      <p style="padding-top:5px"><%= sanitize @project.description %></p>
  <% end %>
  </div>
 </div>
@ -40,4 +40,4 @@
 </div>
 <script>
 autoUrl('project_description_code');
-</script>
+</script>
--- a/app/views/users/_projects_list.html.erb
+++ b/app/views/users/_projects_list.html.erb
@ -10,7 +10,7 @@
          <span class="typeTag"><%= project.project_language&.name %></span>
        </span>
      </p>
-      <p class="c_grey02 f14"><%= project.description.html_safe %></p>
+      <p class="c_grey02 f14"><%= sanitize project.description %></p>
    </div>
  </li>
 <% end %>