otwcode · brianjaustin · Mar 24, 2024 · Jan 20, 2024 · Jan 20, 2024 · Jan 20, 2024
diff --git a/app/models/feedback_reporters/abuse_reporter.rb b/app/models/feedback_reporters/abuse_reporter.rb
@@ -30,6 +30,8 @@ def subject
   end
 
   def ticket_description
-    description.present? ? description.html_safe : "No comment submitted."
+    return "No comment submitted." if description.blank?
+
+    strip_images(description.html_safe)
   end
 end
diff --git a/app/models/feedback_reporters/support_reporter.rb b/app/models/feedback_reporters/support_reporter.rb
@@ -31,6 +31,8 @@ def subject
   end
 
   def ticket_description
-    description.present? ? description.html_safe : "No description submitted."
+    return "No description submitted." if description.blank?
+
+    strip_images(description.html_safe)
   end
 end
diff --git a/app/views/admin/banners/_banner.html.erb b/app/views/admin/banners/_banner.html.erb
@@ -2,6 +2,6 @@
 <% # don't forget to update layouts/banner! %>
 <div class="<%= admin_banner.banner_type %> announcement group">
   <blockquote class="userstuff">
-    <%=raw sanitize_field(admin_banner, :content) %>
+    <%= raw strip_images(sanitize_field(admin_banner, :content)) %>
   </blockquote>
 </div>
diff --git a/app/views/bookmarks/_bookmark_blurb_short.html.erb b/app/views/bookmarks/_bookmark_blurb_short.html.erb
@@ -28,10 +28,10 @@
     </ul>
   <% end %>
   <!--notes-->
-  <% unless bookmark.bookmarker_notes.blank? %>
+  <% if bookmark.bookmarker_notes.present? %>
     <h6 class="landmark heading"><%= ts("Bookmark Notes:") %></h6>
     <blockquote class="userstuff summary">
-      <%=raw sanitize_field(bookmark, :bookmarker_notes) %>
+      <%= raw strip_images(sanitize_field(bookmark, :bookmarker_notes)) %>
     </blockquote>
   <% end %>
   <!--actions-->

diff --git a/app/views/bookmarks/_bookmark_user_module.html.erb b/app/views/bookmarks/_bookmark_user_module.html.erb
@@ -45,10 +45,10 @@
     <% end %>
 
     <!--notes-->
-    <% unless bookmark.bookmarker_notes.blank? %>
+    <% if bookmark.bookmarker_notes.present? %>
       <h6 class="landmark heading"><%= ts('Bookmarker\'s Notes') %></h6>
       <blockquote class="userstuff notes">
-        <%=raw sanitize_field(bookmark, :bookmarker_notes) %>
+        <%= raw strip_images(sanitize_field(bookmark, :bookmarker_notes)) %>
       </blockquote>
     <% end %>
     <% # end of information added by the bookmark owner %>

diff --git a/app/views/comments/_single_comment.html.erb b/app/views/comments/_single_comment.html.erb
@@ -53,7 +53,13 @@
         <% if single_comment.hidden_by_admin? %>
           <p class="notice"><%= ts("This comment has been hidden by an admin.") %></p>
         <% end %>
-        <blockquote class="userstuff"><%=raw sanitize_field(single_comment, :comment_content) %></blockquote>
+        <blockquote class="userstuff">
+          <% if single_comment.ultimate_parent.is_a?(AdminPost) %>
+            <%= raw strip_images(sanitize_field(single_comment, :comment_content)) %>
+          <% else %>
+            <%= raw sanitize_field(single_comment, :comment_content) %>
+          <% end %>
+        </blockquote>
         <% unless single_comment.edited_at.blank? %>
           <p class="edited datetime">
             <%= ts("Last Edited") %> <%= time_in_zone(single_comment.edited_at) %>

diff --git a/app/views/layouts/_banner.html.erb b/app/views/layouts/_banner.html.erb
@@ -1,25 +1,22 @@
-<% # BACK END this seems giant and messy and confusing, pls can we review? 
-   # FRONT END yes let us rewrite this
-%>
-<% unless current_user && current_user.try(:preference).try(:banner_seen) %>
-<% if @admin_banner && @admin_banner.active? %>
-<% unless current_user.nil? && session[:hide_banner] %>
-  <div class="<%= @admin_banner.banner_type %> announcement group" id="admin-banner">
-    <blockquote class="userstuff">
-      <%=raw sanitize_field(@admin_banner, :content) %>
-    </blockquote>
-    <% if current_user.nil? %>
-      <p class="submit">
-        <%= link_to "&times;".html_safe, current_path_with(hide_banner: true), :class => 'showme action', :title => ts("hide banner") %>
-      </p>
-    <% else %>
-      <%= form_tag end_banner_user_path(current_user), :method => :post, :remote => true do %>
+<%# BACK END this seems giant and messy and confusing, pls can we review?
+  # FRONT END yes let us rewrite this %>
+<% if @admin_banner&.active? %>
+  <% unless session[:hide_banner] || current_user&.preference&.banner_seen %>
+    <div class="<%= @admin_banner.banner_type %> announcement group" id="admin-banner">
+      <blockquote class="userstuff">
+        <%= raw strip_images(sanitize_field(@admin_banner, :content)) %>
+      </blockquote>
+      <% if current_user.nil? %>
         <p class="submit">
-          <%= submit_tag "&times;".html_safe, :title => ts("hide banner") %>
+          <%= link_to "&times;".html_safe, current_path_with(hide_banner: true), class: "showme action", title: ts("hide banner") %>
         </p>
+      <% else %>
+        <%= form_tag end_banner_user_path(current_user), method: :post, remote: true do %>
+          <p class="submit">
+            <%= submit_tag "&times;".html_safe, title: ts("hide banner") %>
+          </p>
+        <% end %>
       <% end %>
-    <% end %>
-  </div>
-<% end %>
-<% end %>
+    </div>
+  <% end %>
 <% end %>
diff --git a/app/views/pseuds/_pseud_module.html.erb b/app/views/pseuds/_pseud_module.html.erb
@@ -11,8 +11,8 @@
     <%= icon_display(pseud.user, pseud) %>
   </div>
 </div>
-<% unless pseud.description.blank? %>
+<% if pseud.description.present? %>
   <blockquote class="userstuff">
-    <%=raw sanitize_field(pseud, :description) %>
+    <%=raw strip_images(sanitize_field(pseud, :description)) %>
   </blockquote>
 <% end %>
diff --git a/app/views/share/_embed_meta_bookmark.erb b/app/views/share/_embed_meta_bookmark.erb
@@ -5,6 +5,6 @@
 <% end %>
 <% if bookmark.bookmarker_notes.present? %>
 <%= ts("Bookmarker's Notes: ").html_safe %>
-<%= raw(sanitize_field(bookmark, :bookmarker_notes)) %>
+<%= raw strip_images(sanitize_field(bookmark, :bookmarker_notes)) %>
 <% end %>
 <% end %>
diff --git a/features/bookmarks/bookmark_create.feature b/features/bookmarks/bookmark_create.feature
@@ -108,6 +108,18 @@ Scenario: extra commas in bookmark form (Issue 2284)
     And I press "Create"
   Then I should see "created"
 
+Scenario: Bookmark notes do not display images
+  Given I am logged in as "bookmarkuser"
+    And I post the work "Some Work"
+  When I follow "Bookmark"
+    And I fill in "Notes" with "Fantastic!<img src='http://example.com/icon.svg'>"
+    And I press "Create"
+    And all indexing jobs have been run
+  Then I should see "Bookmark was successfully created"
+  When I go to the bookmarks page
+  Then I should not see the image "src" text "http://example.com/icon.svg"
+    And I should see "Fantastic!"
+
 Scenario: bookmark added to moderated collection has flash notice only when not approved
   Given the following activated users exist
     | login      | password |

diff --git a/features/comments_and_kudos/add_comment.feature b/features/comments_and_kudos/add_comment.feature
@@ -133,7 +133,7 @@ Scenario: Comment threading, comment editing
       And I fill in "Comment" with "B's improved comment (edited)"
       And I press "Update"
     Then 0 emails should be delivered to "User_A"
-  
+
   Scenario: Try to post an invalid comment
 
     When I am logged in as "author"
@@ -180,6 +180,17 @@ Scenario: Set preference and receive comment notifications of your own comments
     And "commenter" should be emailed
     And 1 email should be delivered to "commenter"
 
+Scenario: Wprk comment displays images
+
+  Given the work "Generic Work"
+    And I am logged in as "commenter"
+    And I visit the new comment page for the work "Generic Work"
+  When I fill in "Comment" with "Fantastic!<img src='http://example.com/icon.svg'>"
+    And I press "Comment"
+  Then I should see "Comment created!"
+    And I should see "Fantastic!"
+    And I should see the image "src" text "http://example.com/icon.svg"
+
 Scenario: Try to post a comment with a < angle bracket before a linebreak, without a space before the bracket
 
     Given the work "Generic Work"
@@ -194,7 +205,7 @@ Scenario: Try to post a comment with a < angle bracket before a linebreak, witho
       And I press "Comment"
     Then I should see "Comment created!"
 
-Scenario: Try to post a comment with a < angle bracket before a linebreak, with a space before the bracket 
+Scenario: Try to post a comment with a < angle bracket before a linebreak, with a space before the bracket
 
     Given the work "Generic Work"
       And I am logged in as "commenter"

diff --git a/features/comments_and_kudos/comments_adminposts.feature b/features/comments_and_kudos/comments_adminposts.feature
@@ -135,3 +135,14 @@ Feature: Commenting on admin posts
     When I follow "Edit Post"
     Then I should see "No one can comment"
     # TODO: Test that the other options aren't available/selected in a non-brittle way
+
+  Scenario: Admin post comment does not display images
+    Given I have posted an admin post
+      And I am logged in as "regular"
+      And I go to the admin-posts page
+      And I follow "Default Admin Post"
+    When I fill in "Comment" with "Hi!<img src='http://example.com/icon.svg'>"
+      And I press "Comment"
+    Then I should see "Comment created!"
+      And I should not see the image "src" text "http://example.com/icon.svg"
+      And I should see "Hi!"
diff --git a/features/other_a/pseuds.feature b/features/other_a/pseuds.feature
@@ -118,6 +118,18 @@ Scenario: Manage pseuds - add, edit
     And I should see "I wanted to add another fancy name"
     And I should not see "My new name (editpseuds)"
 
+Scenario: Pseud descriptions do not display images
+
+  Given I am logged in as "myself"
+    And I go to my pseuds page
+    When I follow "Edit"
+    And I fill in "Description" with "Fantastic!<img src='http://example.com/icon.svg'>"
+    And I press "Update"
+  Then I should see "Pseud was successfully updated."
+  When I follow "Back To Pseuds"
+  Then I should not see the image "src" text "http://example.com/icon.svg"
+    And I should see "Fantastic!"
+
 Scenario: Comments reflect pseud changes immediately
 
   Given the work "Interesting"

diff --git a/spec/models/feedback_reporters/abuse_reporter_spec.rb b/spec/models/feedback_reporters/abuse_reporter_spec.rb
@@ -79,5 +79,13 @@
         expect(subject.report_attributes.fetch("cf").fetch("cf_url")).to eq("Unknown URL")
       end
     end
+
+    context "if the report has an image in description" do
+      it "strips all img tags" do
+        allow(subject).to receive(:description).and_return("Hi!<img src='http://example.com/Camera-icon.svg'>Bye!")
+
+        expect(subject.report_attributes.fetch("description")).to eq("Hi!Bye!")
+      end
+    end
   end
 end
diff --git a/spec/models/feedback_reporters/support_reporter_spec.rb b/spec/models/feedback_reporters/support_reporter_spec.rb
@@ -89,5 +89,13 @@
         expect(subject.report_attributes.fetch("cf").fetch("cf_user_agent")).to eq("Unknown user agent")
       end
     end
+
+    context "if the report has an image in description" do
+      it "strips all img tags" do
+        allow(subject).to receive(:description).and_return("Hi!<img src='http://example.com/Camera-icon.svg'>Bye!")
+
+        expect(subject.report_attributes.fetch("description")).to eq("Hi!Bye!")
+      end
+    end
   end
 end