Merge branch 'release/0.27-stable' into 0.27-canada

decidim-accountability/spec/requests/result_search_spec.rb

@@ -4,6 +4,7 @@
 
 RSpec.describe "Result search", type: :request do
   include Decidim::ComponentPathHelper
+  include Decidim::SanitizeHelper
 
   let(:component) { create :accountability_component }
   let(:participatory_space) { component.participatory_space }
@@ -59,8 +60,8 @@
     subject { response.body }
 
     it "displays all categories that have top-level results" do
-      expect(subject).to include(translated(result1.category.name))
-      expect(subject).to include(translated(result4.category.name))
+      expect(subject).to include(decidim_html_escape(translated(result1.category.name)))
+      expect(subject).to include(decidim_html_escape(translated(result4.category.name)))
     end
 
     it "does not display the categories that only have sub-results" do

decidim-core/app/cells/decidim/tags_cell.rb

@@ -9,6 +9,8 @@ module Decidim
   #   <%= cell("decidim/category", model.category, context: {resource: model}) %>
   #
   class TagsCell < Decidim::ViewModel
+    include Decidim::SanitizeHelper
+
     def show
       render if category? || scope?
     end
@@ -51,7 +53,7 @@ def link_to_category
     end
 
     def category_name
-      model.category.translated_name
+      decidim_html_escape model.category.translated_name
     end
 
     def category_path

decidim-core/app/helpers/decidim/check_boxes_tree_helper.rb

@@ -50,20 +50,20 @@ def filter_categories_values
       organization = current_participatory_space.organization
 
       sorted_main_categories = current_participatory_space.categories.first_class.includes(:subcategories).sort_by do |category|
-        [category.weight, translated_attribute(category.name, organization)]
+        [category.weight, decidim_html_escape(translated_attribute(category.name, organization))]
       end
 
       categories_values = sorted_main_categories.flat_map do |category|
         sorted_descendant_categories = category.descendants.includes(:subcategories).sort_by do |subcategory|
-          [subcategory.weight, translated_attribute(subcategory.name, organization)]
+          [subcategory.weight, decidim_html_escape(translated_attribute(subcategory.name, organization))]
         end
 
         subcategories = sorted_descendant_categories.flat_map do |subcategory|
-          TreePoint.new(subcategory.id.to_s, translated_attribute(subcategory.name, organization))
+          TreePoint.new(subcategory.id.to_s, decidim_html_escape(translated_attribute(subcategory.name, organization)))
         end
 
         TreeNode.new(
-          TreePoint.new(category.id.to_s, translated_attribute(category.name, organization)),
+          TreePoint.new(category.id.to_s, decidim_html_escape(translated_attribute(category.name, organization))),
           subcategories
         )
       end

decidim-core/lib/decidim/core/test/factories.rb

@@ -54,7 +54,17 @@ def generate_localized_title
   end
 
   factory :category, class: "Decidim::Category" do
-    name { generate_localized_title }
+    transient do
+      skip_injection { false }
+    end
+
+    name do
+      if skip_injection
+        Decidim::Faker::Localized.localized { generate(:title) }
+      else
+        Decidim::Faker::Localized.localized { "<script>alert(\"category name\");</script> #{generate(:title)}" }
+      end
+    end
     description { Decidim::Faker::Localized.wrapped("<p>", "</p>") { generate_localized_title } }
     weight { 0 }
 

decidim-core/spec/cells/decidim/tags_cell_spec.rb

@@ -87,6 +87,15 @@
       expect(html).to have_content(translated(category.name))
     end
 
+    it "sanitizes the category" do
+      name = %(Category a<img src=x onerror=alert(8) >"a)
+      custom_category = create(:category, participatory_space: participatory_space, name: { "en" => name })
+      proposal_categorized.category = custom_category
+      html = cell("decidim/tags", proposal_categorized, context: { extra_classes: ["tags--proposal"] }).call
+      expect(html).to have_css(".tags.tags--proposal")
+      expect(html).to have_content(name)
+    end
+
     it "renders the correct filtering link" do
       html = cell("decidim/tags", proposal_categorized, context: { extra_classes: ["tags--proposal"] }).call
       path = Decidim::ResourceLocatorPresenter.new(proposal_categorized).index

decidim-proposals/app/cells/decidim/proposals/proposal_tags/show.erb

@@ -3,8 +3,8 @@
     <% if category.present? %>
       <li>
         <%= link_to resource_locator(model).index(filter: { with_any_category: [category.id.to_s] }), title: t("decidim.tags.filter_results_for_category", resource: translated_attribute(category.name)) do %>
-          <span class="show-for-sr"><%= t "decidim.tags.filter_results_for_category", resource: translated_attribute(category.name) %></span>
-          <span aria-hidden="true"><%= translated_attribute(category.name) %></span>
+          <span class="show-for-sr"><%= t "decidim.tags.filter_results_for_category", resource: decidim_html_escape(translated_attribute(category.name)) %></span>
+          <span aria-hidden="true"><%= decidim_html_escape(translated_attribute(category.name)) %></span>
         <% end %>
         <% if previous_category.present? && show_previous_category? %>
           &nbsp;

decidim-proposals/config/locales/en.yml

@@ -12,6 +12,8 @@ en:
         state: State
         title: Title
         user_group_id: Create collaborative draft as
+      import_participatory_text:
+        document: Participatory text document
       proposal:
         address: Address
         answer: Answer