Commit 4820ccb2fd6fc7e827d4f83700ce7bed50c85c5d

Authored by Macartur Sousa
Committed by Rodrigo Souto
1 parent 08165b71

Fixing sanitize xss_terminate

Signed-off-by: Macartur Sousa <macartur.sc@gmail.com>
Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com>
config/application.rb
@@ -15,12 +15,17 @@ module Noosfero @@ -15,12 +15,17 @@ module Noosfero
15 15
16 require 'noosfero/plugin' 16 require 'noosfero/plugin'
17 17
18 - config.action_view.sanitized_allowed_tags |= %w(object embed param table  
19 - tr th td applet comment iframe audio video source)  
20 - config.action_view.sanitized_allowed_attributes |= %w(align border alt  
21 - vspace hspace width heigth value type data style target codebase archive 18 + ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source
  19 + strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1
  20 + h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins)
  21 +
  22 + ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width
  23 + vspace hspace heigth value type data style target codebase archive data-macro align border
22 classid code flashvars scrolling frameborder controls autoplay colspan) 24 classid code flashvars scrolling frameborder controls autoplay colspan)
23 25
  26 + config.action_view.sanitized_allowed_tags = ALLOWED_TAGS
  27 + config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES
  28 +
24 require 'noosfero/multi_tenancy' 29 require 'noosfero/multi_tenancy'
25 config.middleware.use Noosfero::MultiTenancy::Middleware 30 config.middleware.use Noosfero::MultiTenancy::Middleware
26 31
vendor/plugins/xss_terminate/lib/xss_terminate.rb
1 module XssTerminate 1 module XssTerminate
2 - ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)  
3 - ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)  
4 2
5 def self.sanitize_by_default=(value) 3 def self.sanitize_by_default=(value)
6 @@sanitize_by_default = value 4 @@sanitize_by_default = value
@@ -40,30 +38,33 @@ module XssTerminate @@ -40,30 +38,33 @@ module XssTerminate
40 38
41 module InstanceMethods 39 module InstanceMethods
42 40
43 - def sanitize_allowed_attributes  
44 - ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES  
45 - end  
46 -  
47 def sanitize_field(sanitizer, field, serialized = false) 41 def sanitize_field(sanitizer, field, serialized = false)
48 field = field.to_sym 42 field = field.to_sym
49 if serialized 43 if serialized
50 puts field 44 puts field
51 self[field].each_key { |key| 45 self[field].each_key { |key|
52 key = key.to_sym 46 key = key.to_sym
53 - self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) 47 + self[field][key] = sanitizer.sanitize(self[field][key], encode_special_chars: false, scrubber: permit_scrubber )
54 } 48 }
55 else 49 else
56 if self[field] 50 if self[field]
57 - self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) 51 + self[field] = sanitizer.sanitize(self[field], encode_special_chars: false, scrubber: permit_scrubber )
58 else 52 else
59 value = self.send("#{field}") 53 value = self.send("#{field}")
60 return unless value 54 return unless value
61 - value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) 55 + value = sanitizer.sanitize(value, encode_special_chars: false, scrubber: permit_scrubber)
62 self.send("#{field}=", value) 56 self.send("#{field}=", value)
63 end 57 end
64 end 58 end
65 end 59 end
66 60
  61 + def permit_scrubber
  62 + scrubber = Rails::Html::PermitScrubber.new
  63 + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags
  64 + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes
  65 + scrubber
  66 + end
  67 +
67 def sanitize_columns(with = :full) 68 def sanitize_columns(with = :full)
68 columns_serialized = self.class.serialized_attributes.keys 69 columns_serialized = self.class.serialized_attributes.keys
69 only = eval "xss_terminate_#{with}_options[:only]" 70 only = eval "xss_terminate_#{with}_options[:only]"
@@ -75,27 +76,20 @@ module XssTerminate @@ -75,27 +76,20 @@ module XssTerminate
75 end 76 end
76 77
77 def sanitize_fields_with_full 78 def sanitize_fields_with_full
78 - sanitizer = Rails::Html::FullSanitizer.new  
79 - columns, columns_serialized = sanitize_columns(:full)  
80 - columns.each do |column|  
81 - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))  
82 - end 79 + sanitize_fields_with(Rails::Html::FullSanitizer.new,:full)
83 end 80 end
84 81
85 def sanitize_fields_with_white_list 82 def sanitize_fields_with_white_list
86 - sanitizer = Rails::Html::WhiteListSanitizer.new  
87 - columns, columns_serialized = sanitize_columns(:white_list)  
88 - columns.each do |column|  
89 - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))  
90 - end  
91 - end 83 + sanitize_fields_with(Rails::Html::WhiteListSanitizer.new,:white_list)
  84 + end
92 85
93 def sanitize_fields_with_html5lib 86 def sanitize_fields_with_html5lib
94 - sanitizer = HTML5libSanitize.new  
95 - columns = sanitize_columns(:html5lib)  
96 - columns.each do |column|  
97 - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))  
98 - end 87 + sanitize_fields_with(HTML5libSanitize.new,:html5lib)
  88 + end
  89 +
  90 + def sanitize_fields_with sanitizer, type
  91 + columns, columns_serialized = sanitize_columns(type)
  92 + columns.each {|column| sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))}
99 end 93 end
100 94
101 end 95 end