Merge pull request #76 from ElixirCLE/add-games-to-users

Serneum · web-flow · commit 62dd9329cb7f · 2018-03-11T22:14:06.000-04:00
Sanitize user names so they don't break pages
diff --git a/mix.exs b/mix.exs
@@ -41,6 +41,7 @@ defmodule Nermesterts.Mixfile do
      {:phoenix, "~> 1.2.0"},
      {:phoenix_ecto, "~> 3.0"},
      {:phoenix_html, "~> 2.6"},
+     {:phoenix_html_sanitizer, "~> 1.1"},
      {:phoenix_live_reload, "~> 1.0", only: :dev},
      {:phoenix_pubsub, "~> 1.0"},
      {:postgrex, ">= 0.0.0"},
diff --git a/mix.lock b/mix.lock
@@ -29,6 +29,7 @@
   "phoenix": {:hex, :phoenix, "1.2.4", "4172479b5e21806a5e4175b54820c239e0d4effb0b07912e631aa31213a05bae", [:mix], [{:cowboy, "~> 1.0", [hex: :cowboy, optional: true]}, {:phoenix_pubsub, "~> 1.0", [hex: :phoenix_pubsub, optional: false]}, {:plug, "~> 1.4 or ~> 1.3.3 or ~> 1.2.4 or ~> 1.1.8 or ~> 1.0.5", [hex: :plug, optional: false]}, {:poison, "~> 1.5 or ~> 2.0", [hex: :poison, optional: false]}]},
   "phoenix_ecto": {:hex, :phoenix_ecto, "3.2.3", "450c749876ff1de4a78fdb305a142a76817c77a1cd79aeca29e5fc9a6c630b26", [:mix], [{:ecto, "~> 2.1", [hex: :ecto, optional: false]}, {:phoenix_html, "~> 2.9", [hex: :phoenix_html, optional: true]}, {:plug, "~> 1.0", [hex: :plug, optional: false]}]},
   "phoenix_html": {:hex, :phoenix_html, "2.9.3", "1b5a2122cbf743aa242f54dced8a4f1cc778b8bd304f4b4c0043a6250c58e258", [:mix], [{:plug, "~> 1.0", [hex: :plug, optional: false]}]},
+  "phoenix_html_sanitizer": {:hex, :phoenix_html_sanitizer, "1.1.0", "ea9e1162217621208ba6b2951a24abe2c06b39347f65c22c31312f9f5ac0fa75", [:mix], [{:html_sanitize_ex, "~> 1.1", [hex: :html_sanitize_ex, optional: false]}, {:phoenix_html, "~> 2.0", [hex: :phoenix_html, optional: false]}]},
   "phoenix_live_reload": {:hex, :phoenix_live_reload, "1.0.8", "4333f9c74190f485a74866beff2f9304f069d53f047f5fbb0fb8d1ee4c495f73", [:mix], [{:fs, "~> 0.9.1", [hex: :fs, optional: false]}, {:phoenix, "~> 1.0 or ~> 1.2-rc", [hex: :phoenix, optional: false]}]},
   "phoenix_pubsub": {:hex, :phoenix_pubsub, "1.0.2", "bfa7fd52788b5eaa09cb51ff9fcad1d9edfeb68251add458523f839392f034c1", [:mix], []},
   "plug": {:hex, :plug, "1.3.5", "7503bfcd7091df2a9761ef8cecea666d1f2cc454cbbaf0afa0b6e259203b7031", [:mix], [{:cowboy, "~> 1.0.1 or ~> 1.1", [hex: :cowboy, optional: true]}, {:mime, "~> 1.0", [hex: :mime, optional: false]}]},
diff --git a/web/templates/layout/app.html.eex b/web/templates/layout/app.html.eex
@@ -23,7 +23,7 @@
             <li role="presentation"><%= link "Phrases", to: phrase_path(@conn, :index)%></li>
             <li role="presentation"><%= link "Games", to: game_path(@conn, :index)%></li>
             <li class="dropdown" role="presentation">
-            <a href="#" class="dropdown-toggle" data-toggle="dropdown"> <%= current_user_name(@conn) %> <span class="caret"></span></a>
+            <a href="#" class="dropdown-toggle" data-html="true" data-toggle="dropdown"> <%= sanitize(current_user_name(@conn)) %> <span class="caret"></span></a>
               <ul class="dropdown-menu">
                 <%= if logged_in?(@conn) do %>
                   <li><%= link "Edit", to: user_path(@conn, :edit, current_user(@conn))%></li>
diff --git a/web/templates/user/index.html.eex b/web/templates/user/index.html.eex
@@ -10,7 +10,7 @@
   <tbody>
   <%= for user <- @active_players do %>
     <tr>
-      <td><%= User.display_name(user) %></td>
+      <td><%= sanitize(User.display_name(user)) %></td>
 
       <td class="text-right">
         <%= if logged_in?(@conn) do %>
@@ -43,7 +43,7 @@
   <tbody>
 <%= for user <- @inactive_players do %>
     <tr>
-      <td><%= User.display_name(user) %></td>
+      <td><%= sanitize(User.display_name(user)) %></td>
 
       <td class="text-right">
         <%= if logged_in?(@conn) do %>
diff --git a/web/views/game_view.ex b/web/views/game_view.ex
@@ -17,7 +17,9 @@ defmodule Nermesterts.GameView do
   end
 
   defp generate_owner_list([user|users]) do
-    "<li>" <> User.display_name(user) <> "</li>" <> generate_owner_list(users)
+    {:safe, safe_name} = sanitize(User.display_name(user), :strip_tags)
+    {:safe, safe_name} = html_escape(safe_name)
+    "<li>" <> safe_name <> "</li>" <> generate_owner_list(users)
   end
   defp generate_owner_list([]) do
     ""
diff --git a/web/web.ex b/web/web.ex
@@ -51,6 +51,7 @@ defmodule Nermesterts.Web do
 
       # Use all HTML functionality (forms, tags, etc)
       use Phoenix.HTML
+      use PhoenixHtmlSanitizer, :basic_html
 
       import Nermesterts.Router.Helpers
       import Nermesterts.ErrorHelpers
