ActionItem1176: (again) Links in WYSIWYG keep changing & to &amp in each edition

Joenio Costa · Antonio Terceiro
1 parent 2b38e038
Showing 3 changed files with 34 additions and 17 deletions Show diff stats
app/views/shared/tiny_mce.rhtml
test/unit/tiny_mce_article_test.rb
vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
@@ -24,7 +24,7 @@ tinyMCE.init({
         apply_source_formatting : true,
         content_css: '/stylesheets/tinymce.css',
         language: <%= tinymce_language.inspect %>,
-        cleanup_callback : "customCleanup"
+        entity_encoding: 'raw'
         });
  
 function convertWord(type, content) {
@@ -43,16 +43,4 @@ function convertWord(type, content) {
   return content;
 }
  
-function customCleanup(type, value) {
-  switch (type) {
-    case "get_from_editor":
-      value = value.replace(/&amp;amp;/g,"&amp;");
-		break;
-    case "insert_to_editor":
-      value = value.replace(/&amp;amp;/g,"&amp;");
-		break;
-  }
-  return value;
-}
-
 </script>
@@ -4,7 +4,9 @@ class TinyMceArticleTest &lt; Test::Unit::TestCase
  
   def setup
     Article.rebuild_index
+    @profile = create_user('zezinho').person
   end
+  attr_reader :profile
  
   # this test can be removed when we get real tests for TinyMceArticle 
   should 'be an article' do
@@ -20,16 +22,21 @@ class TinyMceArticleTest &lt; Test::Unit::TestCase
   end
  
   should 'be found when searching for articles by query' do
-    ze = create_user('zezinho').person
-    tma = TinyMceArticle.create!(:name => 'test tinymce article', :body => '---', :profile => ze)
+    tma = TinyMceArticle.create!(:name => 'test tinymce article', :body => '---', :profile => profile)
     assert_includes TinyMceArticle.find_by_contents('article'), tma
     assert_includes Article.find_by_contents('article'), tma
   end
  
   should 'not sanitize target attribute' do
-    ze = create_user('zezinho').person
-    article = TinyMceArticle.create!(:name => 'open link in new window', :body => "open <a href='www.invalid.com' target='_blank'>link</a> in new window", :profile => ze)
+    article = TinyMceArticle.create!(:name => 'open link in new window', :body => "open <a href='www.invalid.com' target='_blank'>link</a> in new window", :profile => profile)
     assert_tag_in_string article.body, :tag => 'a', :attributes => {:target => '_blank'}
   end
  
+  should 'not translate & to amp; over times' do
+    article = TinyMceArticle.create!(:name => 'link', :body => "<a href='www.invalid.com?param1=value&param2=value'>link</a>", :profile => profile)
+    assert article.save
+    assert_no_match /&amp;amp;/, article.body
+    assert_match /&amp;/, article.body
+  end
+
 end
@@ -0,0 +1,22 @@
+# monkey patch to fix WhiteListSanitizer bug
+# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for
+#
+# this was solved in rails 2.2.1, then remove this patch when upgrade to it
+
+HTML::WhiteListSanitizer.module_eval do
+  # unescape before reescape to avoid:
+  # & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc
+  protected
+  def process_attributes_for(node, options)
+    return unless node.attributes
+    node.attributes.keys.each do |attr_name|
+      value = node.attributes[attr_name].to_s
+
+      if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
+        node.attributes.delete(attr_name)
+      else
+        node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
+      end
+    end
+  end
+end
...	...	@@ -24,7 +24,7 @@ tinyMCE.init({
24	24	apply_source_formatting : true,
25	25	content_css: '/stylesheets/tinymce.css',
26	26	language: <%= tinymce_language.inspect %>,
27		- cleanup_callback : "customCleanup"
	27	+ entity_encoding: 'raw'
28	28	});
29	29
30	30	function convertWord(type, content) {
...	...	@@ -43,16 +43,4 @@ function convertWord(type, content) {
43	43	return content;
44	44	}
45	45
46		-function customCleanup(type, value) {
47		- switch (type) {
48		- case "get_from_editor":
49		- value = value.replace(/&amp;/g,"&");
50		- break;
51		- case "insert_to_editor":
52		- value = value.replace(/&amp;/g,"&");
53		- break;
54		- }
55		- return value;
56		-}
57		-
58	46	</script>
...	...
...	...	@@ -4,7 +4,9 @@ class TinyMceArticleTest < Test::Unit::TestCase
4	4
5	5	def setup
6	6	Article.rebuild_index
	7	+ @profile = create_user('zezinho').person
7	8	end
	9	+ attr_reader :profile
8	10
9	11	# this test can be removed when we get real tests for TinyMceArticle
10	12	should 'be an article' do
...	...	@@ -20,16 +22,21 @@ class TinyMceArticleTest < Test::Unit::TestCase
20	22	end
21	23
22	24	should 'be found when searching for articles by query' do
23		- ze = create_user('zezinho').person
24		- tma = TinyMceArticle.create!(:name => 'test tinymce article', :body => '---', :profile => ze)
	25	+ tma = TinyMceArticle.create!(:name => 'test tinymce article', :body => '---', :profile => profile)
25	26	assert_includes TinyMceArticle.find_by_contents('article'), tma
26	27	assert_includes Article.find_by_contents('article'), tma
27	28	end
28	29
29	30	should 'not sanitize target attribute' do
30		- ze = create_user('zezinho').person
31		- article = TinyMceArticle.create!(:name => 'open link in new window', :body => "open <a href='www.invalid.com' target='_blank'>link</a> in new window", :profile => ze)
	31	+ article = TinyMceArticle.create!(:name => 'open link in new window', :body => "open <a href='www.invalid.com' target='_blank'>link</a> in new window", :profile => profile)
32	32	assert_tag_in_string article.body, :tag => 'a', :attributes => {:target => '_blank'}
33	33	end
34	34
	35	+ should 'not translate & to amp; over times' do
	36	+ article = TinyMceArticle.create!(:name => 'link', :body => "<a href='www.invalid.com?param1=value&param2=value'>link</a>", :profile => profile)
	37	+ assert article.save
	38	+ assert_no_match /&amp;/, article.body
	39	+ assert_match /&/, article.body
	40	+ end
	41	+
35	42	end
...	...
...	...	@@ -0,0 +1,22 @@
	1	+# monkey patch to fix WhiteListSanitizer bug
	2	+# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for
	3	+#
	4	+# this was solved in rails 2.2.1, then remove this patch when upgrade to it
	5	+
	6	+HTML::WhiteListSanitizer.module_eval do
	7	+ # unescape before reescape to avoid:
	8	+ # & -> & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> etc
	9	+ protected
	10	+ def process_attributes_for(node, options)
	11	+ return unless node.attributes
	12	+ node.attributes.keys.each do \|attr_name\|
	13	+ value = node.attributes[attr_name].to_s
	14	+
	15	+ if !options[:attributes].include?(attr_name) \|\| contains_bad_protocols?(attr_name, value)
	16	+ node.attributes.delete(attr_name)
	17	+ else
	18	+ node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
	19	+ end
	20	+ end
	21	+ end
	22	+end
...	...