Sanitize all user input for OwP

[mikeapp]

Story We should strip HTML from all data supplied by the user in OwP requests, since they will be displayed to admins. Rails will escape output in the .erb but we're also emailing the fields, and in general don't want anything malicious ending up in the DB.

(I remember discussing this at standup but didn't see a ticket for the work, so this may already be done.)

Acceptance Strip HTML (including script) elements from:

• [x] Name
• [x] Email
• [x] Note

[jpengst]

Rails sanitizer transforms & to & when stripping all html tags and scripts. All other characters seem fine. Do we want to keep it saved as & or gsub back to &?

[jpengst]

PR: https://github.com/yalelibrary/yul-dc-management/pull/1370

[K8Sewell]

Deployed to Demo and Test with release v2.68.8

[sshetenhelm]

I am now unable to submit requests in Blacklight! When I try, I get the following message: Please submit a request for this item. No request was found.

Video:

https://github.com/yalelibrary/YUL-DC/assets/98423494/6d25b365-dea7-48d6-8343-8193c90a2a09

[jpengst]

I was not able to replicate this. I tried this same object using the same text and everything is looking good on my side (https://collections-demo.library.yale.edu/management/permission_requests/56)

I'm curious why the request form is rendering for you on this object though. You should have instant access because you're an admin of the "Summer Test" permission set, which this object is under. I was able to toggle the object/request form by adding/removing myself from "Summer Test" and it looks good.

Are you no longer able to see OwP objects you are an admin of?

[sshetenhelm]

I wonder if it's because I was an admin, but removed myself for testing purposes?

I see in Management that the requests went through though, and the non-latin characters/diacritics were kept and the html tags stripped: https://collections-demo.library.yale.edu/management/permission_requests/56

[jpengst]

Ok great. I wasn't sure if you removed yourself as an admin before testing. I was worried for a sec that admin access was broken.
Have you tried any other objects?

[sshetenhelm]

OK, so now when I click on the request link, I get the "The page you're looking for does not exist error" (for example, on https://collections-demo.library.yale.edu/catalog/10666010/request_form)

...and I'm also not getting metadata or the viewer, even if I'm an admin... Ex. https://collections-demo.library.yale.edu/catalog/2008596

[jpengst]

Are any other Yale users experiencing this too?

[sshetenhelm]

The wrong Blacklight stuff got deployed to Demo, I can see stuff again, but I'm getting "We are unable to complete your access request at this time. " Will check again after lunch.

[jpengst]

If it was this error: "We are unable to complete your access request at this time. For more information about this object, click the ‘Feedback’ link located at the bottom of this page and fill out the form. We will get back to you as soon as possible."

Its because the permission set does not have any active terms and conditions

[sshetenhelm]

Good gracious, yes, I should have known that. Was able to make the request after I added the terms.

Everything was sanitized from the notes. In user name, the brackets still came through, but it's not an active link in the request, just the characters:

[jpengst]

Adds sanitize to user name: https://github.com/yalelibrary/yul-dc-management/pull/1378

[K8Sewell]

Deployed to Test and Demo with release v2.69.0

[sshetenhelm]

Looks good on DEMO! Thank you :)