[#4793] Public body name encoding in followups_controller.rb is inconsistent
#7186
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relevant issue(s)
Fixes #4793
What does this do?
This patch makes the authority_name parameter in
get_login_paramshtml safe, to prevent apostrophes from being displayed in raw html format, when output is passed through the application controller.Why was this needed?
Currently, Alaveteli is rendering the public body name on followup links, where a user has had to authenticate themselves, in a peculiar way. This resolves the issue by ensuring that information we are passing in parameters is appropriately sanitised.
Implementation notes
The proposed fix is simple, almost deceptively so - it follows the format used in the related outgoing mailer, and works in development.
Output from console:
Prior to fix
PostRedirect Create (2.1ms) INSERT INTO "post_redirects" ("token", "uri", "post_params_yaml", "created_at", "updated_at", "email_token", "reason_params_yaml") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING "id" [["token", "lir1ci3sf16tgyn9dz0"], ["uri", "/request/118/followups/new/32"], ["post_params_yaml", "--- !ruby/object:ActionController::Parameters\nparameters: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n controller: followups\n action: new\n request_id: '118'\n incoming_message_id: '32'\npermitted: false\n"], ["created_at", "2022-07-23 16:25:21.391941"], ["updated_at", "2022-07-23 16:25:21.391941"], ["email_token", "e3ein3t7nw9ciluqz2y"], ["reason_params_yaml", "---\n:web: To send a follow up message to Information Commissioner's Office\n:email: Then you can write follow up message to Information Commissioner's Office.\n:email_subject: Write your FOI follow up message to Information Commissioner's\n Office\n:user_name: Joe Admin\n:user_url: [redacted]/user/joe_admin\n"]]Note: authority_name (written in 'web') is
Information Commissioner's\n OfficeAfter applying the fix
PostRedirect Create (0.7ms) INSERT INTO "post_redirects" ("token", "uri", "post_params_yaml", "created_at", "updated_at", "email_token", "reason_params_yaml") VALUES ($1, $2, $3, $4, $5, $6, $7) RETURNING "id" [["token", "cydi3si43p66xmft587"], ["uri", "/request/118/followups/new/32"], ["post_params_yaml", "--- !ruby/object:ActionController::Parameters\nparameters: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n controller: followups\n action: new\n request_id: '118'\n incoming_message_id: '32'\npermitted: false\n"], ["created_at", "2022-07-23 17:45:07.169448"], ["updated_at", "2022-07-23 17:45:07.169448"], ["email_token", "fz53xxu39vsfxtgw8p5"], ["reason_params_yaml", "---\n:web: To send a follow up message to Information Commissioner's Office\n:email: Then you can write follow up message to Information Commissioner's Office.\n:email_subject: Write your FOI follow up message to Information Commissioner's Office\n:user_name: Joe Admin\n:user_url: [redacted]/user/joe_admin\n"]]Note: authority_name (written in 'web') is
Information Commissioner's OfficeScreenshots
Prior to fix
After applying the fix
Notes to reviewer
Nothing particular to note