Skip to content

LIBTD-1424: HTML Sanitizer on Input Fields Prior to Entering Data to DB or Fedora

Janice J Kim requested to merge LIBTD-1424 into dev

JIRA Ticket: https://webapps.es.vt.edu/jira/browse/LIBTD-1424

What does this Pull Request do?

For this PR, I've added tinymce for the form input on a work's description, program notes, and technical specs. The user profile's personal statement and collection's description has been modified as well. This is one step to add "due diligence" security to COMPEL, while also allowing the user some freedom to stylize their works and profile.

See the Jira ticket for more information.

What are the changes?

For this PR, I've added tinymce for the form input on a work's description, program notes, and technical specs. The user profile's personal statement and collection's description has been modified as well. I carried over and modified the _head_tag_content.html.erb from the Hyrax 2.1.0 gem to allow for using tinymce without administrative privileges.

How should this be tested?

One way of testing this out would be to create both a Performance work and Composition work, adding stylized content for the modified fields. Also, attempt modifying your user's personal statement. Finally, create a collection with a description. If the styles come out as expected and potentially malicious code is not allowed (e.g. ), then it should be working as expected. You may need to use the rails and fedora consoles to see if they are actually stored as expected. [Edit: One clarification, the potentially malicious tags should still be visible, but not rendered as html]

Additional Notes:

  • I'm not a security expert, but this seemed like one approach to adding security without detracting from user experience. This should be considered while reviewing this PR.
  • Use the LIBTD-1424 branch for testing

Interested parties

@whunter @tingtingjh

Merge request reports