Download as
Browse Code »

Commit 34f4326dc53efd5ce1e1b964d6a7e29a92631343

Authored by Victor Costa
1 parent 7e1172c4
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

Allow trusted url without protocol for iframe in tinymce

Showing 2 changed files with 10 additions and 1 deletions   Show diff stats
lib/white_list_filter.rb
  Diff comments   View file @34f4326
... ... @@ -9,7 +9,7 @@ module WhiteListFilter
9 9 unless iframe =~ /src=['"].*src=['"]/
10 10 trusted_sites.each do |trusted_site|
11 11 re_dom = trusted_site.gsub('.', '\.')
12   - if iframe =~ /src=["']https?:\/\/(www\.)?#{re_dom}\//
  12 + if iframe =~ /src=["'](https?:)?\/\/(www\.)?#{re_dom}\//
13 13 result = iframe
14 14 end
15 15 end
... ...
test/unit/white_list_filter_test.rb
  Diff comments   View file @34f4326
... ... @@ -40,6 +40,15 @@ class WhiteListFilterTest < ActiveSupport::TestCase
40 40 assert_equal "<iframe src='http://avideosite.com/videos.ogg'></iframe>", check_iframe_on_content(content, environment.trusted_sites_for_iframe)
41 41 end
42 42  
  43 + should 'allow iframe if it is from a trusted site and protocol was not specified' do
  44 + env = Environment.default
  45 + env.trusted_sites_for_iframe = ['avideosite.com']
  46 + env.save
  47 + assert_includes Environment.default.trusted_sites_for_iframe, 'avideosite.com'
  48 + content = "<iframe src='//avideosite.com/videos.ogg'></iframe>"
  49 + assert_equal "<iframe src='//avideosite.com/videos.ogg'></iframe>", check_iframe_on_content(content, environment.trusted_sites_for_iframe)
  50 + end
  51 +
43 52 should 'remove only the iframe from untrusted site' do
44 53 content = "<iframe src='http://stream.softwarelivre.org/videos.ogg'></iframe><iframe src='http://untrusted_site.com/videos.ogg'></iframe>"
45 54 assert_equal "<iframe src='http://stream.softwarelivre.org/videos.ogg'></iframe>", check_iframe_on_content(content, environment.trusted_sites_for_iframe)
... ...