Download as
Browse Code »

Commit 568d29ce8251d3ffd3443c8e632fb7c75ceeaf06

Authored by Rodrigo Souto
2 parents 7816909c fcce10fe
Exists in staging and in 38 other branches all_pending_tasks_api, api-articles-period, api_roles, caching-rails4, captcha_serpro_plugin, comments_permissions, elasticsearch, elasticsearch_api, elasticsearch_categories, elasticsearch_filter, elasticsearch_sort, elasticsearch_to_merge, elasticsearch_view, environment-exposes-api, export-comment-api, export-comment-paragraph, export_data, external_followers, federation-webfinger, federation_followers, federation_followers_backend, federation_oauth_provider, federation_webfinger, fix_notification_email, fix_string_downcase_and_upcase, follower_permition, json_cookie_serializer, master, master_profile_followers, oauth_external_login, oauth_login, private-scraps, private-scraps-rebase, production, production-vendorized, profile_api_improvements, user_mention, webfinger_server

Merge branch 'xss_terminate_custom_options' into 'master' 

Fix XSS terminate removing custom attributes for Macros

Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>

See merge request !748
Showing 1 changed file with 9 additions and 3 deletions   Show diff stats
vendor/plugins/xss_terminate/lib/xss_terminate.rb
  Diff comments   View file @568d29c
1 1 module XssTerminate
  2 + ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
  3 + ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
2 4  
3 5 def self.sanitize_by_default=(value)
4 6 @@sanitize_by_default = value
... ... @@ -38,21 +40,25 @@ module XssTerminate
38 40  
39 41 module InstanceMethods
40 42  
  43 + def sanitize_allowed_attributes
  44 + ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
  45 + end
  46 +
41 47 def sanitize_field(sanitizer, field, serialized = false)
42 48 field = field.to_sym
43 49 if serialized
44 50 puts field
45 51 self[field].each_key { |key|
46 52 key = key.to_sym
47   - self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
  53 + self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
48 54 }
49 55 else
50 56 if self[field]
51   - self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
  57 + self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
52 58 else
53 59 value = self.send("#{field}")
54 60 return unless value
55   - value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
  61 + value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
56 62 self.send("#{field}=", value)
57 63 end
58 64 end
... ...