Commit 36dfeecb57142299e71d1f8071b7cb514bc5bec1
Committed by
Rodrigo Souto
Rodrigo Souto
1 parent
4820ccb2
Exists in
staging
and in
32 other branches
Adding SanitizeHelper
- SanitizeHelper to use config/application.rb tags and attribute allowed Signed-off-by: Macartur Sousa <macartur.sc@gmail.com>
Showing
6 changed files
with
42 additions
and
17 deletions
Show diff stats
| @@ -0,0 +1,25 @@ | @@ -0,0 +1,25 @@ | ||
| 1 | +module SanitizeHelper | ||
| 2 | + | ||
| 3 | + def sanitize_html(text, type= :full_sanitize) | ||
| 4 | + sanitizer(type).sanitize(text, scrubber: permit_scrubber) | ||
| 5 | + end | ||
| 6 | + | ||
| 7 | + def sanitize_link(text) | ||
| 8 | + sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber) | ||
| 9 | + end | ||
| 10 | + | ||
| 11 | +protected | ||
| 12 | + | ||
| 13 | + def permit_scrubber | ||
| 14 | + scrubber = Rails::Html::PermitScrubber.new | ||
| 15 | + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags | ||
| 16 | + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes | ||
| 17 | + scrubber | ||
| 18 | + end | ||
| 19 | + | ||
| 20 | + def sanitizer type = :full_sanitize | ||
| 21 | + return HTML::WhiteListSanitizer.new if type == :white_list | ||
| 22 | + HTML::FullSanitizer.new | ||
| 23 | + end | ||
| 24 | + | ||
| 25 | +end |
app/models/article.rb
| 1 | 1 | ||
| 2 | class Article < ActiveRecord::Base | 2 | class Article < ActiveRecord::Base |
| 3 | 3 | ||
| 4 | + include SanitizeHelper | ||
| 5 | + | ||
| 4 | attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent, | 6 | attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent, |
| 5 | :allow_members_to_edit, :translation_of_id, :language, | 7 | :allow_members_to_edit, :translation_of_id, :language, |
| 6 | :license_id, :parent_id, :display_posts_in_current_language, | 8 | :license_id, :parent_id, :display_posts_in_current_language, |
| @@ -54,6 +56,7 @@ class Article < ActiveRecord::Base | @@ -54,6 +56,7 @@ class Article < ActiveRecord::Base | ||
| 54 | track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? } | 56 | track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? } |
| 55 | 57 | ||
| 56 | # xss_terminate plugin can't sanitize array fields | 58 | # xss_terminate plugin can't sanitize array fields |
| 59 | + # sanitize_tag_list is used with SanitizeHelper | ||
| 57 | before_save :sanitize_tag_list | 60 | before_save :sanitize_tag_list |
| 58 | 61 | ||
| 59 | before_create do |article| | 62 | before_create do |article| |
| @@ -870,11 +873,6 @@ class Article < ActiveRecord::Base | @@ -870,11 +873,6 @@ class Article < ActiveRecord::Base | ||
| 870 | tag_name.gsub(/[<>]/, '') | 873 | tag_name.gsub(/[<>]/, '') |
| 871 | end | 874 | end |
| 872 | 875 | ||
| 873 | - def sanitize_html(text) | ||
| 874 | - sanitizer = HTML::FullSanitizer.new | ||
| 875 | - sanitizer.sanitize(text) | ||
| 876 | - end | ||
| 877 | - | ||
| 878 | def parent_archived? | 876 | def parent_archived? |
| 879 | if self.parent_id_changed? && self.parent && self.parent.archived? | 877 | if self.parent_id_changed? && self.parent && self.parent.archived? |
| 880 | errors.add(:parent_folder, N_('is archived!!')) | 878 | errors.add(:parent_folder, N_('is archived!!')) |
app/models/link_list_block.rb
| 1 | class LinkListBlock < Block | 1 | class LinkListBlock < Block |
| 2 | 2 | ||
| 3 | + include SanitizeHelper | ||
| 4 | + | ||
| 3 | attr_accessible :links | 5 | attr_accessible :links |
| 4 | 6 | ||
| 5 | ICONS = [ | 7 | ICONS = [ |
| @@ -85,9 +87,4 @@ class LinkListBlock < Block | @@ -85,9 +87,4 @@ class LinkListBlock < Block | ||
| 85 | end | 87 | end |
| 86 | end | 88 | end |
| 87 | 89 | ||
| 88 | - def sanitize_link(text) | ||
| 89 | - sanitizer = HTML::WhiteListSanitizer.new | ||
| 90 | - sanitizer.sanitize(text) | ||
| 91 | - end | ||
| 92 | - | ||
| 93 | end | 90 | end |
app/models/scrap.rb
| 1 | class Scrap < ActiveRecord::Base | 1 | class Scrap < ActiveRecord::Base |
| 2 | 2 | ||
| 3 | + include SanitizeHelper | ||
| 4 | + | ||
| 3 | attr_accessible :content, :sender_id, :receiver_id, :scrap_id | 5 | attr_accessible :content, :sender_id, :receiver_id, :scrap_id |
| 4 | 6 | ||
| 5 | SEARCHABLE_FIELDS = { | 7 | SEARCHABLE_FIELDS = { |
| @@ -41,8 +43,7 @@ class Scrap < ActiveRecord::Base | @@ -41,8 +43,7 @@ class Scrap < ActiveRecord::Base | ||
| 41 | end | 43 | end |
| 42 | 44 | ||
| 43 | def strip_all_html_tags | 45 | def strip_all_html_tags |
| 44 | - sanitizer = HTML::WhiteListSanitizer.new | ||
| 45 | - self.content = sanitizer.sanitize(self.content, :tags => []) | 46 | + self.content = sanitize_html(self.content) |
| 46 | end | 47 | end |
| 47 | 48 | ||
| 48 | def action_tracker_target | 49 | def action_tracker_target |
app/models/textile_article.rb
| 1 | class TextileArticle < TextArticle | 1 | class TextileArticle < TextArticle |
| 2 | + include SanitizeHelper | ||
| 2 | 3 | ||
| 3 | def self.short_description | 4 | def self.short_description |
| 4 | _('Text article with Textile markup language') | 5 | _('Text article with Textile markup language') |
| @@ -31,10 +32,9 @@ class TextileArticle < TextArticle | @@ -31,10 +32,9 @@ class TextileArticle < TextArticle | ||
| 31 | protected | 32 | protected |
| 32 | 33 | ||
| 33 | def convert_to_html(textile) | 34 | def convert_to_html(textile) |
| 34 | - @@sanitizer ||= HTML::WhiteListSanitizer.new | ||
| 35 | converter = RedCloth.new(textile|| '') | 35 | converter = RedCloth.new(textile|| '') |
| 36 | converter.hard_breaks = false | 36 | converter.hard_breaks = false |
| 37 | - @@sanitizer.sanitize(converter.to_html) | 37 | + sanitize_html(converter.to_html, :white_list) |
| 38 | end | 38 | end |
| 39 | 39 | ||
| 40 | end | 40 | end |
config/application.rb
| @@ -15,13 +15,17 @@ module Noosfero | @@ -15,13 +15,17 @@ module Noosfero | ||
| 15 | 15 | ||
| 16 | require 'noosfero/plugin' | 16 | require 'noosfero/plugin' |
| 17 | 17 | ||
| 18 | - ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source | 18 | + # The plugin xss_terminator(located in vendor/plugins/xss_terminator) and the helper |
| 19 | + # SanitizeHelper(located in app/helpers/sanitize_helper.rb) use | ||
| 20 | + # ALLOWED_TAGS and ALLOWED_ATTRIBUTES to make a sanitize with html. | ||
| 21 | + | ||
| 22 | + ALLOWED_TAGS = %w(object embed param table tr th td applet comment iframe audio video source | ||
| 19 | strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 | 23 | strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 |
| 20 | - h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins) | 24 | + h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins a) |
| 21 | 25 | ||
| 22 | ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width | 26 | ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width |
| 23 | vspace hspace heigth value type data style target codebase archive data-macro align border | 27 | vspace hspace heigth value type data style target codebase archive data-macro align border |
| 24 | - classid code flashvars scrolling frameborder controls autoplay colspan) | 28 | + classid code flashvars scrolling frameborder controls autoplay colspan id rowspan) |
| 25 | 29 | ||
| 26 | config.action_view.sanitized_allowed_tags = ALLOWED_TAGS | 30 | config.action_view.sanitized_allowed_tags = ALLOWED_TAGS |
| 27 | config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES | 31 | config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES |