From 1607e1bb3805eaca9bc44349202b0d6ec6010fe3 Mon Sep 17 00:00:00 2001
From: Antonio Terceiro <terceiro@colivre.coop.br>
Date: Tue, 16 Aug 2011 10:22:42 -0700
Subject: [PATCH] Fix TextileArticle

---
 app/models/textile_article.rb     | 17 ++++++++++++++++-
 test/unit/textile_article_test.rb | 45 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/app/models/textile_article.rb b/app/models/textile_article.rb
index 8bf2c4d..cf793ad 100644
--- a/app/models/textile_article.rb
+++ b/app/models/textile_article.rb
@@ -9,11 +9,26 @@ class TextileArticle < TextArticle
   end
 
   def to_html(options ={})
-    RedCloth.new(self.body|| '').to_html
+    convert_to_html(body)
+  end
+
+  def lead
+    if abstract.blank?
+      super
+    else
+      convert_to_html(abstract)
+    end
   end
 
   def notifiable?
     true
   end
 
+  protected
+
+  def convert_to_html(textile)
+    @@sanitizer ||= HTML::WhiteListSanitizer.new
+    @@sanitizer.sanitize(RedCloth.new(textile|| '').to_html)
+  end
+
 end
diff --git a/test/unit/textile_article_test.rb b/test/unit/textile_article_test.rb
index 7014164..e6758a2 100644
--- a/test/unit/textile_article_test.rb
+++ b/test/unit/textile_article_test.rb
@@ -145,4 +145,49 @@ class TextileArticleTest < Test::Unit::TestCase
     assert_equal false, a.advertise?
     assert_equal false, a.is_trackable?
   end
+
+  should 'generate proper HTML for links' do
+    assert_tag_in_string build_article('"Noosfero":http://noosfero.org/').to_html, :tag => 'a', :attributes => { :href => 'http://noosfero.org/' }
+  end
+
+  should 'generate proper HTML for > symbols' do
+    assert_match /^sqlite&gt;$/, build_article('  sqlite>').to_html
+  end
+
+  should 'not mess up with textile markup' do
+    assert_equal '  sqlite> stuff', build_article('  sqlite> stuff').body
+    noosfero_cool = '"Noosfero":http://noosfero.org/ is a very cool project'
+    assert_equal noosfero_cool, build_article(noosfero_cool).body
+  end
+
+  should 'not allow arbitrary HTML' do
+    assert_not_equal '<script>alert(1)</script>', build_article('<script>alert(1)</script>').to_html
+  end
+
+  should 'not allow Javascript on links' do
+    assert_no_tag_in_string build_article('<a href="javascript: alert(\'BOOM\')" onclick="javascript: alert(\'BOOM\')"></a>').to_html, :tag => 'a', :attributes => { :href => /./, :onclick => /./ }
+  end
+
+  should 'allow harmless HTML' do
+    code = "<pre><code>  code example\n</code></pre>"
+    assert_equal code, build_article(code).body
+    assert_equal code, build_article(code).to_html
+  end
+
+  should 'use Textile markup for lead as well' do
+    assert_tag_in_string build_article(nil, :abstract => '"Noosfero":http://noosfero.org/').lead, :tag => 'a', :attributes => { :href => 'http://noosfero.org/' }
+  end
+
+  should 'not allow arbitrary HTML in the lead' do
+    assert_not_equal '<script>alert(1)</script>', build_article(nil, :abstract => '<script>alert(1)</script>').lead
+  end
+
+  protected
+
+  def build_article(input = nil, options = {})
+    article = TextileArticle.new({:body => input}.merge(options))
+    article.valid? # trigger the xss terminate thingy
+    article
+  end
+
 end
--
libgit2 0.21.2