From 8983fb3600112a703eacb9a83b3e08875dabf2a3 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 16 Oct 2014 00:59:34 +0100
Subject: [PATCH] Validate note comments for control characters

---
 app/models/note_comment.rb       |  1 +
 test/models/note_comment_test.rb | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 test/models/note_comment_test.rb

diff --git a/app/models/note_comment.rb b/app/models/note_comment.rb
index 07d43cd74..dd91a95b4 100644
--- a/app/models/note_comment.rb
+++ b/app/models/note_comment.rb
@@ -9,6 +9,7 @@ class NoteComment < ActiveRecord::Base
   validates_presence_of :visible
   validates_associated :author
   validates_inclusion_of :event, :in => [ "opened", "closed", "reopened", "commented", "hidden" ]
+  validates_format_of :body, :with => /\A[^\x00-\x08\x0b-\x0c\x0e-\x1f\x7f\ufffe\uffff]*\z/
 
   # Return the comment text
   def body
diff --git a/test/models/note_comment_test.rb b/test/models/note_comment_test.rb
new file mode 100644
index 000000000..d1210f619
--- /dev/null
+++ b/test/models/note_comment_test.rb
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+require 'test_helper'
+
+class NoteCommentTest < ActiveSupport::TestCase
+  fixtures :users, :notes, :note_comments
+
+  def test_body_valid
+    ok = [ "Name", "vergrößern", "foo\x0abar",
+           "ルシステムにも対応します", "輕觸搖晃的遊戲", ]
+    bad = [ "foo\x00bar", "foo\x08bar", "foo\x1fbar", "foo\x7fbar",
+            "foo\ufffebar", "foo\uffffbar" ]
+
+    ok.each do |body|
+      note_comment = note_comments(:t1)
+      note_comment.body = body
+      assert note_comment.valid?, "#{body} is invalid, when it should be"
+    end
+    
+    bad.each do |body|
+      note_comment = note_comments(:t1)
+      note_comment.body = body
+      assert !note_comment.valid?, "#{body} is valid when it shouldn't be"
+    end
+  end
+end
-- 
2.43.2