rails3: set allowed tags for sanitization

Also enable white list monkey patch to unescape html comments.

rails3: set allowed tags for sanitization
Also enable white list monkey patch to unescape html comments.
Victor Costa
1 parent 0e46219f
Showing 3 changed files with 9 additions and 19 deletions Show diff stats
config/application.rb
vendor/plugins/monkey_patches/init.rb
vendor/plugins/monkey_patches/white_list_sanitizer_unescape_before_reescape/init.rb
@@ -19,6 +19,12 @@ module Noosfero
  
     require 'noosfero/plugin'
  
+    # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper
+    config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay'
+
+    # Adds custom tags to the Set of allowed html tags for the #sanitize helper
+    config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source'
+
     # Settings in config/environments/* take precedence over those specified here.
     # Application configuration should go into files in config/initializers
     # -- all .rb files in that directory are automatically loaded.
 require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init')
 require File.join(File.dirname(__FILE__), 'attachment_fu/init')
+require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init')
-# monkey patch to fix WhiteListSanitizer bug
-# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for
-#
-# this was solved in rails 2.2.1, then remove this patch when upgrade to it
+# encoding: utf-8
  
 HTML::WhiteListSanitizer.module_eval do
  
+  #unescape html comments
   def sanitize_with_filter_fixes(*args, &block)
     text = sanitize_without_filter_fixes(*args, &block)
     if text
@@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do
   end
   alias_method_chain :sanitize, :filter_fixes
  
-  # unescape before reescape to avoid:
-  # & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc
-  protected
-  def process_attributes_for(node, options)
-    return unless node.attributes
-    node.attributes.keys.each do |attr_name|
-      value = node.attributes[attr_name].to_s
-
-      if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
-        node.attributes.delete(attr_name)
-      else
-        node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&amp;', '&'))
-      end
-    end
-  end
 end
...	...	@@ -19,6 +19,12 @@ module Noosfero
19	19
20	20	require 'noosfero/plugin'
21	21
	22	+ # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper
	23	+ config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay'
	24	+
	25	+ # Adds custom tags to the Set of allowed html tags for the #sanitize helper
	26	+ config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source'
	27	+
22	28	# Settings in config/environments/* take precedence over those specified here.
23	29	# Application configuration should go into files in config/initializers
24	30	# -- all .rb files in that directory are automatically loaded.
...	...
1	1	require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init')
2	2	require File.join(File.dirname(__FILE__), 'attachment_fu/init')
	3	+require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init')
...	...
1		-# monkey patch to fix WhiteListSanitizer bug
2		-# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for
3		-#
4		-# this was solved in rails 2.2.1, then remove this patch when upgrade to it
	1	+# encoding: utf-8
5	2
6	3	HTML::WhiteListSanitizer.module_eval do
7	4
	5	+ #unescape html comments
8	6	def sanitize_with_filter_fixes(*args, &block)
9	7	text = sanitize_without_filter_fixes(*args, &block)
10	8	if text
...	...	@@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do
17	15	end
18	16	alias_method_chain :sanitize, :filter_fixes
19	17
20		- # unescape before reescape to avoid:
21		- # & -> & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> etc
22		- protected
23		- def process_attributes_for(node, options)
24		- return unless node.attributes
25		- node.attributes.keys.each do \|attr_name\|
26		- value = node.attributes[attr_name].to_s
27		-
28		- if !options[:attributes].include?(attr_name) \|\| contains_bad_protocols?(attr_name, value)
29		- node.attributes.delete(attr_name)
30		- else
31		- node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&', '&'))
32		- end
33		- end
34		- end
35	18	end
...	...