Fix form initiatives (#600)

* fix: XSS vulnerability with img on initiative form and model * test: add tests for new validation * docs: update overrides section * fix: interference from added extends with migration * style: update with rubocop * fix: ActiveRecord::NoDatabaseError * fix: trying to fix again interference * fix: update initiative fomr extends and modify admin initiative controller * refactor: update with rubocop * fix: validation in initiative_form extends and update test * docs: update overrides section in overloads.md * fix: Update OVERLOADS.md --------- Co-authored-by: Quentin Champenois <[email protected]>
OpenSourcePolitics · Oct 9, 2024 · 7f820f1 · 7f820f1
1 parent c89380d
commit 7f820f1
Show file tree

Hide file tree

Showing 6 changed files with 710 additions and 1 deletion.
diff --git a/OVERLOADS.md b/OVERLOADS.md
@@ -11,6 +11,10 @@ This override the default `AssembliesHelpler` from `decidim-assemblies`, by addi
 * `app/controllers/decidim/participatory_processes/participatory_processes_controller.rb`
 This override the default `ParticipatoryProcessesController` from `decidim-participatory_processes`, by adding custom sort for participatory_processes
 
+## Initiative form
+* `lib/extends/forms/decidim/initiatives/initiative_form_extends.rb`
+This adds a validation to form's description.
+
 ## Proposal's draft (Decidim awesome overrides 0.26.7)
 * `app/views/decidim/proposals/collaborative_drafts/_edit_form_fields.html.erb`
 

diff --git a/app/controllers/decidim/initiatives/admin/initiatives_controller.rb b/app/controllers/decidim/initiatives/admin/initiatives_controller.rb
@@ -34,6 +34,8 @@ def edit
                     initiative: current_initiative
                   )
           @form.attachment = form_attachment_model
+          # "sanitize" the translated description, if the value is a hash (for machine_translation key) we don't modify it
+          @form.description.transform_values! { |v| v.instance_of?(String) ? v.gsub(/on\w+=("|')/, "nothing") : v }
 
           render layout: "decidim/admin/initiative"
         end

diff --git a/config/application.rb b/config/application.rb
@@ -37,7 +37,6 @@ class Application < Rails::Application
     # Application configuration can go into files in config/initializers
     # -- all .rb files in that directory are automatically loaded after loading
     # the framework and any gems in your application.
-
     config.to_prepare do
       require "extends/helpers/decidim/forms/application_helper_extends"
       require "extends/cells/decidim/forms/step_navigation_cell_extends"
@@ -57,6 +56,7 @@ class Application < Rails::Application
       require "extends/controllers/decidim/newsletters_controller_extends"
       require "extends/commands/decidim/admin/destroy_participatory_space_private_user_extends"
       require "extends/controllers/decidim/proposals/proposals_controller_extends"
+      require "extends/forms/decidim/initiatives/initiative_form_extends"
 
       Decidim::GraphiQL::Rails.config.tap do |config|
         config.initial_query = "{\n  deployment {\n    version\n    branch\n    remote\n    upToDate\n    currentCommit\n    latestCommit\n    locallyModified\n  }\n}".html_safe

diff --git a/lib/extends/forms/decidim/initiatives/initiative_form_extends.rb b/lib/extends/forms/decidim/initiatives/initiative_form_extends.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module NoAdminInitiativeFormExtends
+  extend ActiveSupport::Concern
+
+  included do
+    validate :no_javascript_event_in_description
+
+    private
+
+    def no_javascript_event_in_description
+      errors.add :description, :invalid if description =~ /on\w+=/
+    end
+  end
+end
+
+Decidim::Initiatives::InitiativeForm.include(NoAdminInitiativeFormExtends)