Commit af86ac8d1f15b627c0c9ec68928332916e0a54fd
Exists in
staging
and in
1 other branch
merging with master
Showing
16 changed files
with
151 additions
and
127 deletions
Show diff stats
.travis.yml
| @@ -5,15 +5,19 @@ notifications: | @@ -5,15 +5,19 @@ notifications: | ||
| 5 | template: | 5 | template: |
| 6 | - "%{repository_slug} %{branch} %{commit} %{commit_subject} - %{result} %{build_url}" | 6 | - "%{repository_slug} %{branch} %{commit} %{commit_subject} - %{result} %{build_url}" |
| 7 | 7 | ||
| 8 | -# trusty constainers take more time to start | ||
| 9 | -#dist: trusty | 8 | +# Ensure Container-based environment, as others can have some random failures |
| 9 | +# specially with different Firefox versions and selenium tests. | ||
| 10 | +# E.g. https://travis-ci.org/noosfero/noosfero/jobs/122918772#L1308 | ||
| 11 | +# | ||
| 12 | +# Also container-based environments have the fatest boot times and | ||
| 13 | +# are the only one with cache available for public projects. | ||
| 14 | +# See https://docs.travis-ci.com/user/ci-environment/#Virtualization-environments | ||
| 15 | +sudo: false | ||
| 16 | +cache: bundler | ||
| 10 | 17 | ||
| 11 | language: ruby | 18 | language: ruby |
| 12 | rvm: | 19 | rvm: |
| 13 | - - 2.2 | ||
| 14 | - # ruby 2.3 works but isn't stable on travis | ||
| 15 | - | ||
| 16 | -cache: bundler | 20 | + - 2.3.0 |
| 17 | 21 | ||
| 18 | addons: | 22 | addons: |
| 19 | apt: | 23 | apt: |
app/controllers/my_profile/tasks_controller.rb
| @@ -18,16 +18,16 @@ class TasksController < MyProfileController | @@ -18,16 +18,16 @@ class TasksController < MyProfileController | ||
| 18 | @task_types = Task.pending_types_for(profile) | 18 | @task_types = Task.pending_types_for(profile) |
| 19 | @task_tags = [OpenStruct.new(:name => _('All'), :id => nil) ] + Task.all_tags | 19 | @task_tags = [OpenStruct.new(:name => _('All'), :id => nil) ] + Task.all_tags |
| 20 | 20 | ||
| 21 | - @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc') | 21 | + @tasks = Task.pending_all(profile, @filter_type, @filter_text).order_by('created_at', 'asc').paginate(:per_page => Task.per_page, :page => params[:page]) |
| 22 | @tasks = @tasks.where(:responsible_id => @filter_responsible.to_i != -1 ? @filter_responsible : nil) if @filter_responsible.present? | 22 | @tasks = @tasks.where(:responsible_id => @filter_responsible.to_i != -1 ? @filter_responsible : nil) if @filter_responsible.present? |
| 23 | @tasks = @tasks.tagged_with(@filter_tags, any: true) if @filter_tags.present? | 23 | @tasks = @tasks.tagged_with(@filter_tags, any: true) if @filter_tags.present? |
| 24 | @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page]) | 24 | @tasks = @tasks.paginate(:per_page => Task.per_page, :page => params[:page]) |
| 25 | - | ||
| 26 | @failed = params ? params[:failed] : {} | 25 | @failed = params ? params[:failed] : {} |
| 27 | 26 | ||
| 28 | @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task') && !r.has_permission?('view_tasks')}) if profile.organization? | 27 | @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task') && !r.has_permission?('view_tasks')}) if profile.organization? |
| 29 | 28 | ||
| 30 | @view_only = !current_person.has_permission?(:perform_task, profile) | 29 | @view_only = !current_person.has_permission?(:perform_task, profile) |
| 30 | + | ||
| 31 | end | 31 | end |
| 32 | 32 | ||
| 33 | def processed | 33 | def processed |
app/helpers/comment_helper.rb
| @@ -66,7 +66,7 @@ module CommentHelper | @@ -66,7 +66,7 @@ module CommentHelper | ||
| 66 | 66 | ||
| 67 | def link_for_edit(comment) | 67 | def link_for_edit(comment) |
| 68 | if comment.can_be_updated_by?(user) | 68 | if comment.can_be_updated_by?(user) |
| 69 | - {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id),:class => 'modal')} | 69 | + {:link => expirable_comment_link(comment, :edit, _('Edit'), url_for(:profile => profile.identifier, :controller => :comment, :action => :edit, :id => comment.id), :modal => true)} |
| 70 | end | 70 | end |
| 71 | end | 71 | end |
| 72 | 72 |
| @@ -0,0 +1,25 @@ | @@ -0,0 +1,25 @@ | ||
| 1 | +module SanitizeHelper | ||
| 2 | + | ||
| 3 | + def sanitize_html(text, type= :full_sanitize) | ||
| 4 | + sanitizer(type).sanitize(text, scrubber: permit_scrubber) | ||
| 5 | + end | ||
| 6 | + | ||
| 7 | + def sanitize_link(text) | ||
| 8 | + sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber) | ||
| 9 | + end | ||
| 10 | + | ||
| 11 | +protected | ||
| 12 | + | ||
| 13 | + def permit_scrubber | ||
| 14 | + scrubber = Rails::Html::PermitScrubber.new | ||
| 15 | + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags | ||
| 16 | + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes | ||
| 17 | + scrubber | ||
| 18 | + end | ||
| 19 | + | ||
| 20 | + def sanitizer type = :full_sanitize | ||
| 21 | + return HTML::WhiteListSanitizer.new if type == :white_list | ||
| 22 | + HTML::FullSanitizer.new | ||
| 23 | + end | ||
| 24 | + | ||
| 25 | +end |
app/models/article.rb
| 1 | 1 | ||
| 2 | class Article < ActiveRecord::Base | 2 | class Article < ActiveRecord::Base |
| 3 | 3 | ||
| 4 | + include SanitizeHelper | ||
| 5 | + | ||
| 4 | attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent, | 6 | attr_accessible :name, :body, :abstract, :profile, :tag_list, :parent, |
| 5 | :allow_members_to_edit, :translation_of_id, :language, | 7 | :allow_members_to_edit, :translation_of_id, :language, |
| 6 | :license_id, :parent_id, :display_posts_in_current_language, | 8 | :license_id, :parent_id, :display_posts_in_current_language, |
| @@ -54,6 +56,7 @@ class Article < ActiveRecord::Base | @@ -54,6 +56,7 @@ class Article < ActiveRecord::Base | ||
| 54 | track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? } | 56 | track_actions :create_article, :after_create, :keep_params => [:name, :url, :lead, :first_image], :if => Proc.new { |a| a.is_trackable? && !a.image? } |
| 55 | 57 | ||
| 56 | # xss_terminate plugin can't sanitize array fields | 58 | # xss_terminate plugin can't sanitize array fields |
| 59 | + # sanitize_tag_list is used with SanitizeHelper | ||
| 57 | before_save :sanitize_tag_list | 60 | before_save :sanitize_tag_list |
| 58 | 61 | ||
| 59 | before_create do |article| | 62 | before_create do |article| |
| @@ -875,11 +878,6 @@ class Article < ActiveRecord::Base | @@ -875,11 +878,6 @@ class Article < ActiveRecord::Base | ||
| 875 | tag_name.gsub(/[<>]/, '') | 878 | tag_name.gsub(/[<>]/, '') |
| 876 | end | 879 | end |
| 877 | 880 | ||
| 878 | - def sanitize_html(text) | ||
| 879 | - sanitizer = HTML::FullSanitizer.new | ||
| 880 | - sanitizer.sanitize(text) | ||
| 881 | - end | ||
| 882 | - | ||
| 883 | def parent_archived? | 881 | def parent_archived? |
| 884 | if self.parent_id_changed? && self.parent && self.parent.archived? | 882 | if self.parent_id_changed? && self.parent && self.parent.archived? |
| 885 | errors.add(:parent_folder, N_('is archived!!')) | 883 | errors.add(:parent_folder, N_('is archived!!')) |
app/models/link_list_block.rb
| 1 | class LinkListBlock < Block | 1 | class LinkListBlock < Block |
| 2 | 2 | ||
| 3 | + include SanitizeHelper | ||
| 4 | + | ||
| 3 | attr_accessible :links | 5 | attr_accessible :links |
| 4 | 6 | ||
| 5 | ICONS = [ | 7 | ICONS = [ |
| @@ -85,9 +87,4 @@ class LinkListBlock < Block | @@ -85,9 +87,4 @@ class LinkListBlock < Block | ||
| 85 | end | 87 | end |
| 86 | end | 88 | end |
| 87 | 89 | ||
| 88 | - def sanitize_link(text) | ||
| 89 | - sanitizer = HTML::WhiteListSanitizer.new | ||
| 90 | - sanitizer.sanitize(text) | ||
| 91 | - end | ||
| 92 | - | ||
| 93 | end | 90 | end |
app/models/scrap.rb
| 1 | class Scrap < ActiveRecord::Base | 1 | class Scrap < ActiveRecord::Base |
| 2 | 2 | ||
| 3 | + include SanitizeHelper | ||
| 4 | + | ||
| 3 | attr_accessible :content, :sender_id, :receiver_id, :scrap_id | 5 | attr_accessible :content, :sender_id, :receiver_id, :scrap_id |
| 4 | 6 | ||
| 5 | SEARCHABLE_FIELDS = { | 7 | SEARCHABLE_FIELDS = { |
| @@ -41,8 +43,7 @@ class Scrap < ActiveRecord::Base | @@ -41,8 +43,7 @@ class Scrap < ActiveRecord::Base | ||
| 41 | end | 43 | end |
| 42 | 44 | ||
| 43 | def strip_all_html_tags | 45 | def strip_all_html_tags |
| 44 | - sanitizer = HTML::WhiteListSanitizer.new | ||
| 45 | - self.content = sanitizer.sanitize(self.content, :tags => []) | 46 | + self.content = sanitize_html(self.content) |
| 46 | end | 47 | end |
| 47 | 48 | ||
| 48 | def action_tracker_target | 49 | def action_tracker_target |
app/models/task.rb
| @@ -347,6 +347,7 @@ class Task < ActiveRecord::Base | @@ -347,6 +347,7 @@ class Task < ActiveRecord::Base | ||
| 347 | where [environment_condition, profile_condition].compact.join(' OR ') | 347 | where [environment_condition, profile_condition].compact.join(' OR ') |
| 348 | } | 348 | } |
| 349 | 349 | ||
| 350 | + | ||
| 350 | def self.pending_types_for(profile) | 351 | def self.pending_types_for(profile) |
| 351 | Task.to(profile).pending.select('distinct type').map { |t| [t.class.name, t.title] } | 352 | Task.to(profile).pending.select('distinct type').map { |t| [t.class.name, t.title] } |
| 352 | end | 353 | end |
app/models/textile_article.rb
| 1 | class TextileArticle < TextArticle | 1 | class TextileArticle < TextArticle |
| 2 | + include SanitizeHelper | ||
| 2 | 3 | ||
| 3 | def self.short_description | 4 | def self.short_description |
| 4 | _('Text article with Textile markup language') | 5 | _('Text article with Textile markup language') |
| @@ -31,10 +32,9 @@ class TextileArticle < TextArticle | @@ -31,10 +32,9 @@ class TextileArticle < TextArticle | ||
| 31 | protected | 32 | protected |
| 32 | 33 | ||
| 33 | def convert_to_html(textile) | 34 | def convert_to_html(textile) |
| 34 | - @@sanitizer ||= HTML::WhiteListSanitizer.new | ||
| 35 | converter = RedCloth.new(textile|| '') | 35 | converter = RedCloth.new(textile|| '') |
| 36 | converter.hard_breaks = false | 36 | converter.hard_breaks = false |
| 37 | - @@sanitizer.sanitize(converter.to_html) | 37 | + sanitize_html(converter.to_html, :white_list) |
| 38 | end | 38 | end |
| 39 | 39 | ||
| 40 | end | 40 | end |
app/views/tasks/index.html.erb
| @@ -21,18 +21,18 @@ | @@ -21,18 +21,18 @@ | ||
| 21 | </div> | 21 | </div> |
| 22 | <% end %> | 22 | <% end %> |
| 23 | 23 | ||
| 24 | -<%= form_tag '#', :method => 'get' do %> | ||
| 25 | - <%= field_set_tag _('Filter'), :class => 'filter_fields' do %> | ||
| 26 | - <p> | ||
| 27 | - <%= labelled_select(_('Type of task')+': ', :filter_type, :first, :last, @filter_type, type_collection, {:id => 'filter-type'}) %> | ||
| 28 | - </p> | ||
| 29 | - <p> | ||
| 30 | - <%= labelled_text_field(_("Text filter")+': ', :filter_text, nil, {:id => 'filter-text',:value => @filter_text}) %> | ||
| 31 | - </p> | ||
| 32 | - <% if profile.organization? %> | ||
| 33 | - <p> | ||
| 34 | - <%= labelled_select(_('Assigned to')+': ', :filter_responsible, :id, :name, @filter_responsible, [OpenStruct.new(:name => _('All'), :id => nil), OpenStruct.new(:name => _('Unassigned'), :id => -1)] + @responsible_candidates, :class => 'filter_responsible') %> | ||
| 35 | - </p> | 24 | +<%= form_tag '#', :method => 'post' do %> |
| 25 | + | ||
| 26 | + <%= field_set_tag _('Filter'), :class => 'filter_fields' do %> | ||
| 27 | + <p> | ||
| 28 | + <%= labelled_select(_('Type of task')+': ', :filter_type, :first, :last, @filter_type, type_collection, {:id => 'filter-type'}) %> | ||
| 29 | + </p> | ||
| 30 | + <p> | ||
| 31 | + <%= labelled_text_field(_("Text filter")+': ', :filter_text, nil, {:id => 'filter-text-autocomplete',:value => @filter_text}) %> | ||
| 32 | + </p> | ||
| 33 | + <p> | ||
| 34 | + <%= submit_button(:search, _('Search')) %> | ||
| 35 | + </p> | ||
| 36 | <% end %> | 36 | <% end %> |
| 37 | <p> | 37 | <p> |
| 38 | <%= labelled_select(_('Tags')+': ', :filter_tags, :id, :name, @filter_tags, @task_tags, {:id => 'filter-add-tag'}) %> | 38 | <%= labelled_select(_('Tags')+': ', :filter_tags, :id, :name, @filter_tags, @task_tags, {:id => 'filter-add-tag'}) %> |
| @@ -44,7 +44,6 @@ | @@ -44,7 +44,6 @@ | ||
| 44 | </p> | 44 | </p> |
| 45 | <% end %> | 45 | <% end %> |
| 46 | <% end %> | 46 | <% end %> |
| 47 | - | ||
| 48 | <% if @tasks.empty? %> | 47 | <% if @tasks.empty? %> |
| 49 | <p> | 48 | <p> |
| 50 | <em><%= _('No pending tasks for %s') % profile.name %></em> | 49 | <em><%= _('No pending tasks for %s') % profile.name %></em> |
| @@ -64,7 +63,7 @@ | @@ -64,7 +63,7 @@ | ||
| 64 | <p> | 63 | <p> |
| 65 | <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "up-set-all-tasks-to") %> | 64 | <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "up-set-all-tasks-to") %> |
| 66 | </p> | 65 | </p> |
| 67 | - <% end %> | 66 | + <% end %> |
| 68 | 67 | ||
| 69 | <div class="task_boxes"> | 68 | <div class="task_boxes"> |
| 70 | <% @tasks.each do |task| %> | 69 | <% @tasks.each do |task| %> |
| @@ -73,11 +72,11 @@ | @@ -73,11 +72,11 @@ | ||
| 73 | </div> | 72 | </div> |
| 74 | 73 | ||
| 75 | <% unless @view_only %> | 74 | <% unless @view_only %> |
| 76 | - <p> | ||
| 77 | - <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "down-set-all-tasks-to") %> | ||
| 78 | - </p> | 75 | + <p> |
| 76 | + <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "down-set-all-tasks-to") %> | ||
| 77 | + </p> | ||
| 79 | <% end %> | 78 | <% end %> |
| 80 | - </ul> | 79 | + </ul> |
| 81 | 80 | ||
| 82 | <script> | 81 | <script> |
| 83 | jQuery('.tag-list').inputosaurus({ | 82 | jQuery('.tag-list').inputosaurus({ |
config/application.rb
| @@ -15,6 +15,21 @@ module Noosfero | @@ -15,6 +15,21 @@ module Noosfero | ||
| 15 | 15 | ||
| 16 | require 'noosfero/plugin' | 16 | require 'noosfero/plugin' |
| 17 | 17 | ||
| 18 | + # The plugin xss_terminator(located in vendor/plugins/xss_terminator) and the helper | ||
| 19 | + # SanitizeHelper(located in app/helpers/sanitize_helper.rb) use | ||
| 20 | + # ALLOWED_TAGS and ALLOWED_ATTRIBUTES to make a sanitize with html. | ||
| 21 | + | ||
| 22 | + ALLOWED_TAGS = %w(object embed param table tr th td applet comment iframe audio video source | ||
| 23 | + strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 | ||
| 24 | + h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins a) | ||
| 25 | + | ||
| 26 | + ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width | ||
| 27 | + vspace hspace heigth value type data style target codebase archive data-macro align border | ||
| 28 | + classid code flashvars scrolling frameborder controls autoplay colspan id rowspan) | ||
| 29 | + | ||
| 30 | + config.action_view.sanitized_allowed_tags = ALLOWED_TAGS | ||
| 31 | + config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES | ||
| 32 | + | ||
| 18 | require 'noosfero/multi_tenancy' | 33 | require 'noosfero/multi_tenancy' |
| 19 | config.middleware.use Noosfero::MultiTenancy::Middleware | 34 | config.middleware.use Noosfero::MultiTenancy::Middleware |
| 20 | 35 |
config/initializers/sanitizer.rb
| @@ -1,14 +0,0 @@ | @@ -1,14 +0,0 @@ | ||
| 1 | -require 'loofah/helpers' | ||
| 2 | - | ||
| 3 | -ActionView::Base.full_sanitizer = Loofah::Helpers::ActionView::FullSanitizer.new | ||
| 4 | -ActionView::Base.white_list_sanitizer = Loofah::Helpers::ActionView::WhiteListSanitizer.new | ||
| 5 | - | ||
| 6 | -Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.merge %w[ | ||
| 7 | - img object embed param table tr th td applet comment iframe audio video source | ||
| 8 | -] | ||
| 9 | - | ||
| 10 | -Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[ | ||
| 11 | - align border alt vspace hspace width heigth value type data | ||
| 12 | - style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan | ||
| 13 | -] | ||
| 14 | - |
lib/sanitize_params.rb
| @@ -2,40 +2,40 @@ module SanitizeParams | @@ -2,40 +2,40 @@ module SanitizeParams | ||
| 2 | 2 | ||
| 3 | protected | 3 | protected |
| 4 | 4 | ||
| 5 | - # Check each request parameter for | ||
| 6 | - # improper HTML or Script tags | ||
| 7 | - def sanitize_params | ||
| 8 | - sanitize_params_hash(request.params) | ||
| 9 | - end | 5 | + # Check each request parameter for |
| 6 | + # improper HTML or Script tags | ||
| 7 | + def sanitize_params | ||
| 8 | + sanitize_params_hash(params) | ||
| 9 | + end | ||
| 10 | 10 | ||
| 11 | - # Given a params list sanitize all | ||
| 12 | - def sanitize_params_hash(params) | ||
| 13 | - params.each { |k, v| | ||
| 14 | - if v.is_a?(String) | ||
| 15 | - params[k] = sanitize_param v | ||
| 16 | - elsif v.is_a?(Array) | ||
| 17 | - params[k] = sanitize_array v | ||
| 18 | - elsif v.kind_of?(Hash) | ||
| 19 | - params[k] = sanitize_params_hash(v) | ||
| 20 | - end | ||
| 21 | - } | ||
| 22 | - end | 11 | + # Given a params list sanitize all |
| 12 | + def sanitize_params_hash(params) | ||
| 13 | + params.each { |k, v| | ||
| 14 | + if v.is_a?(String) | ||
| 15 | + params[k] = sanitize_param v | ||
| 16 | + elsif v.is_a?(Array) | ||
| 17 | + params[k] = sanitize_array v | ||
| 18 | + elsif v.kind_of?(Hash) | ||
| 19 | + params[k] = sanitize_params_hash(v) | ||
| 20 | + end | ||
| 21 | + } | ||
| 22 | + end | ||
| 23 | 23 | ||
| 24 | - # If the parameter was an array, | ||
| 25 | - # try to sanitize each element in the array | ||
| 26 | - def sanitize_array(array) | ||
| 27 | - array.map! { |e| | ||
| 28 | - if e.is_a?(String) | ||
| 29 | - sanitize_param e | ||
| 30 | - end | ||
| 31 | - } | ||
| 32 | - return array | ||
| 33 | - end | 24 | + # If the parameter was an array, |
| 25 | + # try to sanitize each element in the array | ||
| 26 | + def sanitize_array(array) | ||
| 27 | + array.map! { |e| | ||
| 28 | + if e.is_a?(String) | ||
| 29 | + sanitize_param e | ||
| 30 | + end | ||
| 31 | + } | ||
| 32 | + return array | ||
| 33 | + end | ||
| 34 | 34 | ||
| 35 | - # Santitize a single value | ||
| 36 | - def sanitize_param(value) | ||
| 37 | - allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | ||
| 38 | - ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | ||
| 39 | - end | 35 | + # Santitize a single value |
| 36 | + def sanitize_param(value) | ||
| 37 | + allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) | ||
| 38 | + ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title)) | ||
| 39 | + end | ||
| 40 | 40 | ||
| 41 | -end | 41 | +end |
test/functional/search_controller_test.rb
| @@ -788,15 +788,18 @@ class SearchControllerTest < ActionController::TestCase | @@ -788,15 +788,18 @@ class SearchControllerTest < ActionController::TestCase | ||
| 788 | injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam' | 788 | injection = '<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam' |
| 789 | get :tag, :tag => injection | 789 | get :tag, :tag => injection |
| 790 | tag = assigns(:tag) | 790 | tag = assigns(:tag) |
| 791 | - assert !tag.upcase.include?('IMG') && tag.include?('SearchParam') | 791 | + assert !tag.upcase.include?('IMG') |
| 792 | + assert tag.include?('SearchParam') | ||
| 792 | end | 793 | end |
| 793 | 794 | ||
| 794 | - should 'not allow query injection array' do | ||
| 795 | - injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', '<script>document.innerHTML = \'x\'</script>'] | 795 | + should 'not allow query injection in array' do |
| 796 | + injection = ['<iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>', | ||
| 797 | + '<script>document.innerHTML = \'x\'</script>'] | ||
| 796 | get :tag, :tag => injection | 798 | get :tag, :tag => injection |
| 797 | tag = assigns(:tag) | 799 | tag = assigns(:tag) |
| 798 | - tag.each { |t| | ||
| 799 | - assert !t.upcase.include?('IMG') && !t.upcase.include?('SCRIPT') | 800 | + tag.each { |t| |
| 801 | + assert !t.upcase.include?('IMG') | ||
| 802 | + assert !t.upcase.include?('SCRIPT') | ||
| 800 | } | 803 | } |
| 801 | end | 804 | end |
| 802 | 805 |
test/functional/tasks_controller_test.rb
| @@ -4,6 +4,7 @@ require 'tasks_controller' | @@ -4,6 +4,7 @@ require 'tasks_controller' | ||
| 4 | class TasksControllerTest < ActionController::TestCase | 4 | class TasksControllerTest < ActionController::TestCase |
| 5 | 5 | ||
| 6 | self.default_params = {profile: 'testuser'} | 6 | self.default_params = {profile: 'testuser'} |
| 7 | + | ||
| 7 | def setup | 8 | def setup |
| 8 | @controller = TasksController.new | 9 | @controller = TasksController.new |
| 9 | @request = ActionController::TestRequest.new | 10 | @request = ActionController::TestRequest.new |
| @@ -28,12 +29,12 @@ class TasksControllerTest < ActionController::TestCase | @@ -28,12 +29,12 @@ class TasksControllerTest < ActionController::TestCase | ||
| 28 | end | 29 | end |
| 29 | 30 | ||
| 30 | should 'get filtered tasks to autocomplete text field' do | 31 | should 'get filtered tasks to autocomplete text field' do |
| 31 | - | 32 | + |
| 32 | #Create a admin user and a simple user | 33 | #Create a admin user and a simple user |
| 33 | profile_admin = create_user('admin_tester').person | 34 | profile_admin = create_user('admin_tester').person |
| 34 | Environment.default.add_admin(profile_admin) | 35 | Environment.default.add_admin(profile_admin) |
| 35 | user = fast_create(Person,:name => 'FakeUser') | 36 | user = fast_create(Person,:name => 'FakeUser') |
| 36 | - | 37 | + |
| 37 | #Create a task of type 'ModerateUserRegistration' | 38 | #Create a task of type 'ModerateUserRegistration' |
| 38 | task_data = { | 39 | task_data = { |
| 39 | :target => Environment.default, | 40 | :target => Environment.default, |
| @@ -41,20 +42,20 @@ class TasksControllerTest < ActionController::TestCase | @@ -41,20 +42,20 @@ class TasksControllerTest < ActionController::TestCase | ||
| 41 | :data => {:user_id => user.id,:name => user.name} | 42 | :data => {:user_id => user.id,:name => user.name} |
| 42 | } | 43 | } |
| 43 | ModerateUserRegistration.create!(task_data) | 44 | ModerateUserRegistration.create!(task_data) |
| 44 | - | 45 | + |
| 45 | #Use admin user to your profile with a pending task above | 46 | #Use admin user to your profile with a pending task above |
| 46 | @controller.stubs(:profile).returns(profile_admin) | 47 | @controller.stubs(:profile).returns(profile_admin) |
| 47 | login_as profile_admin.identifier | 48 | login_as profile_admin.identifier |
| 48 | - | 49 | + |
| 49 | #Perform a http request to 'search_task' action with params | 50 | #Perform a http request to 'search_task' action with params |
| 50 | post :search_tasks, :filter_type =>'ModerateUserRegistration', :filter_text => 'Fak' | 51 | post :search_tasks, :filter_type =>'ModerateUserRegistration', :filter_text => 'Fak' |
| 51 | - | 52 | + |
| 52 | assert_response :success | 53 | assert_response :success |
| 53 | - | 54 | + |
| 54 | #Check if json response matches with a 'FakeUser' | 55 | #Check if json response matches with a 'FakeUser' |
| 55 | json_response = ActiveSupport::JSON.decode(@response.body) | 56 | json_response = ActiveSupport::JSON.decode(@response.body) |
| 56 | value = json_response[0]['value'] | 57 | value = json_response[0]['value'] |
| 57 | - | 58 | + |
| 58 | assert_equal value, 'FakeUser' | 59 | assert_equal value, 'FakeUser' |
| 59 | end | 60 | end |
| 60 | 61 | ||
| @@ -468,13 +469,13 @@ class TasksControllerTest < ActionController::TestCase | @@ -468,13 +469,13 @@ class TasksControllerTest < ActionController::TestCase | ||
| 468 | t2 = CleanHouse.create!(:requestor => requestor, :target => profile) | 469 | t2 = CleanHouse.create!(:requestor => requestor, :target => profile) |
| 469 | t3 = FeedDog.create!(:requestor => requestor, :target => profile) | 470 | t3 = FeedDog.create!(:requestor => requestor, :target => profile) |
| 470 | 471 | ||
| 471 | - get :index, :filter_type => t1.type, :filter_text => 'test' | 472 | + post :index, :filter_type => t1.type, :filter_text => 'test' |
| 472 | 473 | ||
| 473 | assert_includes assigns(:tasks), t1 | 474 | assert_includes assigns(:tasks), t1 |
| 474 | assert_not_includes assigns(:tasks), t2 | 475 | assert_not_includes assigns(:tasks), t2 |
| 475 | assert_not_includes assigns(:tasks), t3 | 476 | assert_not_includes assigns(:tasks), t3 |
| 476 | 477 | ||
| 477 | - get :index | 478 | + post :index |
| 478 | 479 | ||
| 479 | assert_includes assigns(:tasks), t1 | 480 | assert_includes assigns(:tasks), t1 |
| 480 | assert_includes assigns(:tasks), t2 | 481 | assert_includes assigns(:tasks), t2 |
vendor/plugins/xss_terminate/lib/xss_terminate.rb
| 1 | module XssTerminate | 1 | module XssTerminate |
| 2 | - ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width) | ||
| 3 | - ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro) | ||
| 4 | 2 | ||
| 5 | def self.sanitize_by_default=(value) | 3 | def self.sanitize_by_default=(value) |
| 6 | @@sanitize_by_default = value | 4 | @@sanitize_by_default = value |
| @@ -40,30 +38,33 @@ module XssTerminate | @@ -40,30 +38,33 @@ module XssTerminate | ||
| 40 | 38 | ||
| 41 | module InstanceMethods | 39 | module InstanceMethods |
| 42 | 40 | ||
| 43 | - def sanitize_allowed_attributes | ||
| 44 | - ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES | ||
| 45 | - end | ||
| 46 | - | ||
| 47 | def sanitize_field(sanitizer, field, serialized = false) | 41 | def sanitize_field(sanitizer, field, serialized = false) |
| 48 | field = field.to_sym | 42 | field = field.to_sym |
| 49 | if serialized | 43 | if serialized |
| 50 | puts field | 44 | puts field |
| 51 | self[field].each_key { |key| | 45 | self[field].each_key { |key| |
| 52 | key = key.to_sym | 46 | key = key.to_sym |
| 53 | - self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 47 | + self[field][key] = sanitizer.sanitize(self[field][key], encode_special_chars: false, scrubber: permit_scrubber ) |
| 54 | } | 48 | } |
| 55 | else | 49 | else |
| 56 | if self[field] | 50 | if self[field] |
| 57 | - self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 51 | + self[field] = sanitizer.sanitize(self[field], encode_special_chars: false, scrubber: permit_scrubber ) |
| 58 | else | 52 | else |
| 59 | value = self.send("#{field}") | 53 | value = self.send("#{field}") |
| 60 | return unless value | 54 | return unless value |
| 61 | - value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 55 | + value = sanitizer.sanitize(value, encode_special_chars: false, scrubber: permit_scrubber) |
| 62 | self.send("#{field}=", value) | 56 | self.send("#{field}=", value) |
| 63 | end | 57 | end |
| 64 | end | 58 | end |
| 65 | end | 59 | end |
| 66 | 60 | ||
| 61 | + def permit_scrubber | ||
| 62 | + scrubber = Rails::Html::PermitScrubber.new | ||
| 63 | + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags | ||
| 64 | + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes | ||
| 65 | + scrubber | ||
| 66 | + end | ||
| 67 | + | ||
| 67 | def sanitize_columns(with = :full) | 68 | def sanitize_columns(with = :full) |
| 68 | columns_serialized = self.class.serialized_attributes.keys | 69 | columns_serialized = self.class.serialized_attributes.keys |
| 69 | only = eval "xss_terminate_#{with}_options[:only]" | 70 | only = eval "xss_terminate_#{with}_options[:only]" |
| @@ -75,27 +76,20 @@ module XssTerminate | @@ -75,27 +76,20 @@ module XssTerminate | ||
| 75 | end | 76 | end |
| 76 | 77 | ||
| 77 | def sanitize_fields_with_full | 78 | def sanitize_fields_with_full |
| 78 | - sanitizer = Rails::Html::FullSanitizer.new | ||
| 79 | - columns, columns_serialized = sanitize_columns(:full) | ||
| 80 | - columns.each do |column| | ||
| 81 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
| 82 | - end | 79 | + sanitize_fields_with(Rails::Html::FullSanitizer.new,:full) |
| 83 | end | 80 | end |
| 84 | 81 | ||
| 85 | def sanitize_fields_with_white_list | 82 | def sanitize_fields_with_white_list |
| 86 | - sanitizer = Rails::Html::WhiteListSanitizer.new | ||
| 87 | - columns, columns_serialized = sanitize_columns(:white_list) | ||
| 88 | - columns.each do |column| | ||
| 89 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
| 90 | - end | ||
| 91 | - end | 83 | + sanitize_fields_with(Rails::Html::WhiteListSanitizer.new,:white_list) |
| 84 | + end | ||
| 92 | 85 | ||
| 93 | def sanitize_fields_with_html5lib | 86 | def sanitize_fields_with_html5lib |
| 94 | - sanitizer = HTML5libSanitize.new | ||
| 95 | - columns = sanitize_columns(:html5lib) | ||
| 96 | - columns.each do |column| | ||
| 97 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
| 98 | - end | 87 | + sanitize_fields_with(HTML5libSanitize.new,:html5lib) |
| 88 | + end | ||
| 89 | + | ||
| 90 | + def sanitize_fields_with sanitizer, type | ||
| 91 | + columns, columns_serialized = sanitize_columns(type) | ||
| 92 | + columns.each {|column| sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))} | ||
| 99 | end | 93 | end |
| 100 | 94 | ||
| 101 | end | 95 | end |