Commit 36dfeecb57142299e71d1f8071b7cb514bc5bec1
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
4820ccb2
Exists in
staging
and in
32 other branches
Adding SanitizeHelper
- SanitizeHelper to use config/application.rb tags and attribute allowed Signed-off-by: Macartur Sousa <macartur.sc@gmail.com>
Showing
6 changed files
with
42 additions
and
17 deletions
Show diff stats
| ... | ... | @@ -0,0 +1,25 @@ |
| 1 | +module SanitizeHelper | |
| 2 | + | |
| 3 | + def sanitize_html(text, type= :full_sanitize) | |
| 4 | + sanitizer(type).sanitize(text, scrubber: permit_scrubber) | |
| 5 | + end | |
| 6 | + | |
| 7 | + def sanitize_link(text) | |
| 8 | + sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber) | |
| 9 | + end | |
| 10 | + | |
| 11 | +protected | |
| 12 | + | |
| 13 | + def permit_scrubber | |
| 14 | + scrubber = Rails::Html::PermitScrubber.new | |
| 15 | + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags | |
| 16 | + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes | |
| 17 | + scrubber | |
| 18 | + end | |
| 19 | + | |
| 20 | + def sanitizer type = :full_sanitize | |
| 21 | + return HTML::WhiteListSanitizer.new if type == :white_list | |
| 22 | + HTML::FullSanitizer.new | |
| 23 | + end | |
| 24 | + | |
| 25 | +end | ... | ... |
app/models/article.rb
| 1 | 1 | |
| 2 | 2 | class Article < ActiveRecord::Base |
| 3 | 3 | |
| 4 | + include SanitizeHelper | |
| 5 | + | |
| 4 | 6 | attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent, |
| 5 | 7 | :allow_members_to_edit, :translation_of_id, :language, |
| 6 | 8 | :license_id, :parent_id, :display_posts_in_current_language, |
| ... | ... | @@ -54,6 +56,7 @@ class Article < ActiveRecord::Base |
| 54 | 56 | track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? } |
| 55 | 57 | |
| 56 | 58 | # xss_terminate plugin can't sanitize array fields |
| 59 | + # sanitize_tag_list is used with SanitizeHelper | |
| 57 | 60 | before_save :sanitize_tag_list |
| 58 | 61 | |
| 59 | 62 | before_create do |article| |
| ... | ... | @@ -870,11 +873,6 @@ class Article < ActiveRecord::Base |
| 870 | 873 | tag_name.gsub(/[<>]/, '') |
| 871 | 874 | end |
| 872 | 875 | |
| 873 | - def sanitize_html(text) | |
| 874 | - sanitizer = HTML::FullSanitizer.new | |
| 875 | - sanitizer.sanitize(text) | |
| 876 | - end | |
| 877 | - | |
| 878 | 876 | def parent_archived? |
| 879 | 877 | if self.parent_id_changed? && self.parent && self.parent.archived? |
| 880 | 878 | errors.add(:parent_folder, N_('is archived!!')) | ... | ... |
app/models/link_list_block.rb
| 1 | 1 | class LinkListBlock < Block |
| 2 | 2 | |
| 3 | + include SanitizeHelper | |
| 4 | + | |
| 3 | 5 | attr_accessible :links |
| 4 | 6 | |
| 5 | 7 | ICONS = [ |
| ... | ... | @@ -85,9 +87,4 @@ class LinkListBlock < Block |
| 85 | 87 | end |
| 86 | 88 | end |
| 87 | 89 | |
| 88 | - def sanitize_link(text) | |
| 89 | - sanitizer = HTML::WhiteListSanitizer.new | |
| 90 | - sanitizer.sanitize(text) | |
| 91 | - end | |
| 92 | - | |
| 93 | 90 | end | ... | ... |
app/models/scrap.rb
| 1 | 1 | class Scrap < ActiveRecord::Base |
| 2 | 2 | |
| 3 | + include SanitizeHelper | |
| 4 | + | |
| 3 | 5 | attr_accessible :content, :sender_id, :receiver_id, :scrap_id |
| 4 | 6 | |
| 5 | 7 | SEARCHABLE_FIELDS = { |
| ... | ... | @@ -41,8 +43,7 @@ class Scrap < ActiveRecord::Base |
| 41 | 43 | end |
| 42 | 44 | |
| 43 | 45 | def strip_all_html_tags |
| 44 | - sanitizer = HTML::WhiteListSanitizer.new | |
| 45 | - self.content = sanitizer.sanitize(self.content, :tags => []) | |
| 46 | + self.content = sanitize_html(self.content) | |
| 46 | 47 | end |
| 47 | 48 | |
| 48 | 49 | def action_tracker_target | ... | ... |
app/models/textile_article.rb
| 1 | 1 | class TextileArticle < TextArticle |
| 2 | + include SanitizeHelper | |
| 2 | 3 | |
| 3 | 4 | def self.short_description |
| 4 | 5 | _('Text article with Textile markup language') |
| ... | ... | @@ -31,10 +32,9 @@ class TextileArticle < TextArticle |
| 31 | 32 | protected |
| 32 | 33 | |
| 33 | 34 | def convert_to_html(textile) |
| 34 | - @@sanitizer ||= HTML::WhiteListSanitizer.new | |
| 35 | 35 | converter = RedCloth.new(textile|| '') |
| 36 | 36 | converter.hard_breaks = false |
| 37 | - @@sanitizer.sanitize(converter.to_html) | |
| 37 | + sanitize_html(converter.to_html, :white_list) | |
| 38 | 38 | end |
| 39 | 39 | |
| 40 | 40 | end | ... | ... |
config/application.rb
| ... | ... | @@ -15,13 +15,17 @@ module Noosfero |
| 15 | 15 | |
| 16 | 16 | require 'noosfero/plugin' |
| 17 | 17 | |
| 18 | - ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source | |
| 18 | + # The plugin xss_terminator(located in vendor/plugins/xss_terminator) and the helper | |
| 19 | + # SanitizeHelper(located in app/helpers/sanitize_helper.rb) use | |
| 20 | + # ALLOWED_TAGS and ALLOWED_ATTRIBUTES to make a sanitize with html. | |
| 21 | + | |
| 22 | + ALLOWED_TAGS = %w(object embed param table tr th td applet comment iframe audio video source | |
| 19 | 23 | strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 |
| 20 | - h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins) | |
| 24 | + h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins a) | |
| 21 | 25 | |
| 22 | 26 | ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width |
| 23 | 27 | vspace hspace heigth value type data style target codebase archive data-macro align border |
| 24 | - classid code flashvars scrolling frameborder controls autoplay colspan) | |
| 28 | + classid code flashvars scrolling frameborder controls autoplay colspan id rowspan) | |
| 25 | 29 | |
| 26 | 30 | config.action_view.sanitized_allowed_tags = ALLOWED_TAGS |
| 27 | 31 | config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES | ... | ... |