Fixing sanitize xss_terminate

Signed-off-by: Macartur Sousa <macartur.sc@gmail.com> Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com>

Fixing sanitize xss_terminate
Signed-off-by: Macartur Sousa <macartur.sc@gmail.com> Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com>
Macartur Sousa · Rodrigo Souto
1 parent 08165b71
Showing 2 changed files with 28 additions and 29 deletions Show diff stats
config/application.rb
vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -15,12 +15,17 @@ module Noosfero
  
     require 'noosfero/plugin'
  
-    config.action_view.sanitized_allowed_tags |= %w(object embed param table
-      tr th td applet comment iframe audio video source)
-    config.action_view.sanitized_allowed_attributes |= %w(align border alt
-      vspace hspace width heigth value type data style target codebase archive
+    ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source
+    strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1
+    h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins)
+
+    ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width
+      vspace hspace heigth value type data style target codebase archive data-macro align border
       classid code flashvars scrolling frameborder controls autoplay colspan)
  
+    config.action_view.sanitized_allowed_tags = ALLOWED_TAGS
+    config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES
+
     require 'noosfero/multi_tenancy'
     config.middleware.use Noosfero::MultiTenancy::Middleware
  
 module XssTerminate
-  ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
-  ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
  
   def self.sanitize_by_default=(value)
     @@sanitize_by_default = value
@@ -40,30 +38,33 @@ module XssTerminate
  
   module InstanceMethods
  
-    def sanitize_allowed_attributes
-      ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
-    end
-
     def sanitize_field(sanitizer, field, serialized = false)
       field = field.to_sym
       if serialized
         puts field
         self[field].each_key { |key|
           key = key.to_sym
-          self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
+          self[field][key] = sanitizer.sanitize(self[field][key], encode_special_chars: false, scrubber: permit_scrubber )
         }
       else
         if self[field]
-          self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
+          self[field] = sanitizer.sanitize(self[field], encode_special_chars: false, scrubber: permit_scrubber )
         else
           value = self.send("#{field}")
           return unless value
-          value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
+          value = sanitizer.sanitize(value, encode_special_chars: false, scrubber: permit_scrubber)
           self.send("#{field}=", value)
         end
       end
     end
  
+    def  permit_scrubber
+        scrubber = Rails::Html::PermitScrubber.new
+        scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags
+        scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes
+        scrubber
+    end
+
     def sanitize_columns(with = :full)
       columns_serialized = self.class.serialized_attributes.keys
       only = eval "xss_terminate_#{with}_options[:only]"
@@ -75,27 +76,20 @@ module XssTerminate
     end
  
     def sanitize_fields_with_full
-      sanitizer = Rails::Html::FullSanitizer.new
-      columns, columns_serialized = sanitize_columns(:full)
-      columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
-      end
+      sanitize_fields_with(Rails::Html::FullSanitizer.new,:full)
     end
  
     def sanitize_fields_with_white_list
-      sanitizer = Rails::Html::WhiteListSanitizer.new
-      columns, columns_serialized = sanitize_columns(:white_list)
-      columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
-      end
-   end
+      sanitize_fields_with(Rails::Html::WhiteListSanitizer.new,:white_list)
+    end
  
     def sanitize_fields_with_html5lib
-      sanitizer = HTML5libSanitize.new
-      columns = sanitize_columns(:html5lib)
-      columns.each do |column|
-        sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
-      end
+      sanitize_fields_with(HTML5libSanitize.new,:html5lib)
+    end
+
+    def sanitize_fields_with sanitizer, type
+      columns, columns_serialized = sanitize_columns(type)
+      columns.each {|column| sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))}
     end
  
   end
...	...	@@ -15,12 +15,17 @@ module Noosfero
15	15
16	16	require 'noosfero/plugin'
17	17
18		- config.action_view.sanitized_allowed_tags \|= %w(object embed param table
19		- tr th td applet comment iframe audio video source)
20		- config.action_view.sanitized_allowed_attributes \|= %w(align border alt
21		- vspace hspace width heigth value type data style target codebase archive
	18	+ ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source
	19	+ strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1
	20	+ h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins)
	21	+
	22	+ ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width
	23	+ vspace hspace heigth value type data style target codebase archive data-macro align border
22	24	classid code flashvars scrolling frameborder controls autoplay colspan)
23	25
	26	+ config.action_view.sanitized_allowed_tags = ALLOWED_TAGS
	27	+ config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES
	28	+
24	29	require 'noosfero/multi_tenancy'
25	30	config.middleware.use Noosfero::MultiTenancy::Middleware
26	31
...	...
1	1	module XssTerminate
2		- ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
3		- ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
4	2
5	3	def self.sanitize_by_default=(value)
6	4	@@sanitize_by_default = value
...	...	@@ -40,30 +38,33 @@ module XssTerminate
40	38
41	39	module InstanceMethods
42	40
43		- def sanitize_allowed_attributes
44		- ALLOWED_CORE_ATTRIBUTES \| ALLOWED_CUSTOM_ATTRIBUTES
45		- end
46		-
47	41	def sanitize_field(sanitizer, field, serialized = false)
48	42	field = field.to_sym
49	43	if serialized
50	44	puts field
51	45	self[field].each_key { \|key\|
52	46	key = key.to_sym
53		- self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
	47	+ self[field][key] = sanitizer.sanitize(self[field][key], encode_special_chars: false, scrubber: permit_scrubber )
54	48	}
55	49	else
56	50	if self[field]
57		- self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
	51	+ self[field] = sanitizer.sanitize(self[field], encode_special_chars: false, scrubber: permit_scrubber )
58	52	else
59	53	value = self.send("#{field}")
60	54	return unless value
61		- value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
	55	+ value = sanitizer.sanitize(value, encode_special_chars: false, scrubber: permit_scrubber)
62	56	self.send("#{field}=", value)
63	57	end
64	58	end
65	59	end
66	60
	61	+ def permit_scrubber
	62	+ scrubber = Rails::Html::PermitScrubber.new
	63	+ scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags
	64	+ scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes
	65	+ scrubber
	66	+ end
	67	+
67	68	def sanitize_columns(with = :full)
68	69	columns_serialized = self.class.serialized_attributes.keys
69	70	only = eval "xss_terminate_#{with}_options[:only]"
...	...	@@ -75,27 +76,20 @@ module XssTerminate
75	76	end
76	77
77	78	def sanitize_fields_with_full
78		- sanitizer = Rails::Html::FullSanitizer.new
79		- columns, columns_serialized = sanitize_columns(:full)
80		- columns.each do \|column\|
81		- sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
82		- end
	79	+ sanitize_fields_with(Rails::Html::FullSanitizer.new,:full)
83	80	end
84	81
85	82	def sanitize_fields_with_white_list
86		- sanitizer = Rails::Html::WhiteListSanitizer.new
87		- columns, columns_serialized = sanitize_columns(:white_list)
88		- columns.each do \|column\|
89		- sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
90		- end
91		- end
	83	+ sanitize_fields_with(Rails::Html::WhiteListSanitizer.new,:white_list)
	84	+ end
92	85
93	86	def sanitize_fields_with_html5lib
94		- sanitizer = HTML5libSanitize.new
95		- columns = sanitize_columns(:html5lib)
96		- columns.each do \|column\|
97		- sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
98		- end
	87	+ sanitize_fields_with(HTML5libSanitize.new,:html5lib)
	88	+ end
	89	+
	90	+ def sanitize_fields_with sanitizer, type
	91	+ columns, columns_serialized = sanitize_columns(type)
	92	+ columns.each {\|column\| sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))}
99	93	end
100	94
101	95	end
...	...