Merge pull request #7 from virtualidentityag/VIC-573

input sanitizer fix to allow images
virtualidentityag · Apr 20, 2022 · 233cf6e · 233cf6e
2 parents 495255e + 52300af
commit 233cf6e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/src/main/java/com/vi/tenantservice/api/validation/InputSanitizer.java b/src/main/java/com/vi/tenantservice/api/validation/InputSanitizer.java
@@ -30,6 +30,9 @@ public String sanitizeAllowingFormattingAndLinks(String input) {
         .allowElements("a")
         .allowAttributes("href","target")
         .onElements("a")
+        .allowElements("img")
+        .allowAttributes("src", "width", "height")
+        .onElements("img")
         .toFactory();
     return sanitizer.sanitize(input);
   }

diff --git a/src/test/java/com/vi/tenantservice/api/validation/TenantInputSanitizerTest.java b/src/test/java/com/vi/tenantservice/api/validation/TenantInputSanitizerTest.java
@@ -16,6 +16,7 @@
 class TenantInputSanitizerTest {
 
   private static final String LINK_CONTENT = "<a href=\"http://onlineberatung.net\">content</a>further content";
+  private static final String IMAGE_CONTENT = "<img src=\"http://onlineberatung.net/images/test.png\" width=\"272\" height=\"92\" />";
 
   @InjectMocks
   TenantInputSanitizer tenantInputSanitizer;
@@ -55,6 +56,24 @@ void sanitize_Should_sanitizeAndAllowLinksForContentInTenantDTO() {
     assertThat(sanitized.getContent().getImpressum()).contains(LINK_CONTENT);
   }
 
+  @Test
+  void sanitize_Should_sanitizeAndAllowImageSrcForContentInTenantDTO() {
+    // given
+    EasyRandom generator = new EasyRandom();
+    TenantDTO tenantDTO = generator.nextObject(TenantDTO.class);
+    tenantDTO.getContent().setTermsAndConditions(IMAGE_CONTENT);
+    tenantDTO.getContent().setPrivacy(IMAGE_CONTENT);
+    tenantDTO.getContent().setImpressum(IMAGE_CONTENT);
+    TenantInputSanitizer nonMockedTenantInputSanitizer = new TenantInputSanitizer(new InputSanitizer());
+    // when
+    TenantDTO sanitized = nonMockedTenantInputSanitizer.sanitize(tenantDTO);
+
+    // then
+    assertThat(sanitized.getContent().getTermsAndConditions()).contains(IMAGE_CONTENT);
+    assertThat(sanitized.getContent().getPrivacy()).contains(IMAGE_CONTENT);
+    assertThat(sanitized.getContent().getImpressum()).contains(IMAGE_CONTENT);
+  }
+
   private void verifyNeededSanitizationsAreCalled(TenantDTO tenantDTO) {
     verify(inputSanitizer).sanitize(tenantDTO.getName());
     verify(inputSanitizer).sanitize(tenantDTO.getSubdomain());