Commit 4820ccb2fd6fc7e827d4f83700ce7bed50c85c5d
Committed by
Rodrigo Souto
1 parent
08165b71
Exists in
web_steps_improvements
and in
6 other branches
Fixing sanitize xss_terminate
Signed-off-by: Macartur Sousa <macartur.sc@gmail.com> Signed-off-by: Marcos Ronaldo <marcos.rpj2@gmail.com>
Showing
2 changed files
with
28 additions
and
29 deletions
Show diff stats
config/application.rb
@@ -15,12 +15,17 @@ module Noosfero | @@ -15,12 +15,17 @@ module Noosfero | ||
15 | 15 | ||
16 | require 'noosfero/plugin' | 16 | require 'noosfero/plugin' |
17 | 17 | ||
18 | - config.action_view.sanitized_allowed_tags |= %w(object embed param table | ||
19 | - tr th td applet comment iframe audio video source) | ||
20 | - config.action_view.sanitized_allowed_attributes |= %w(align border alt | ||
21 | - vspace hspace width heigth value type data style target codebase archive | 18 | + ALLOWED_TAGS = %w( object embed param table tr th td applet comment iframe audio video source |
19 | + strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 | ||
20 | + h2 h3 h4 h5 h6 ul ol li dl dt dd abbr acronym a img blockquote del ins) | ||
21 | + | ||
22 | + ALLOWED_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width | ||
23 | + vspace hspace heigth value type data style target codebase archive data-macro align border | ||
22 | classid code flashvars scrolling frameborder controls autoplay colspan) | 24 | classid code flashvars scrolling frameborder controls autoplay colspan) |
23 | 25 | ||
26 | + config.action_view.sanitized_allowed_tags = ALLOWED_TAGS | ||
27 | + config.action_view.sanitized_allowed_attributes = ALLOWED_ATTRIBUTES | ||
28 | + | ||
24 | require 'noosfero/multi_tenancy' | 29 | require 'noosfero/multi_tenancy' |
25 | config.middleware.use Noosfero::MultiTenancy::Middleware | 30 | config.middleware.use Noosfero::MultiTenancy::Middleware |
26 | 31 |
vendor/plugins/xss_terminate/lib/xss_terminate.rb
1 | module XssTerminate | 1 | module XssTerminate |
2 | - ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width) | ||
3 | - ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro) | ||
4 | 2 | ||
5 | def self.sanitize_by_default=(value) | 3 | def self.sanitize_by_default=(value) |
6 | @@sanitize_by_default = value | 4 | @@sanitize_by_default = value |
@@ -40,30 +38,33 @@ module XssTerminate | @@ -40,30 +38,33 @@ module XssTerminate | ||
40 | 38 | ||
41 | module InstanceMethods | 39 | module InstanceMethods |
42 | 40 | ||
43 | - def sanitize_allowed_attributes | ||
44 | - ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES | ||
45 | - end | ||
46 | - | ||
47 | def sanitize_field(sanitizer, field, serialized = false) | 41 | def sanitize_field(sanitizer, field, serialized = false) |
48 | field = field.to_sym | 42 | field = field.to_sym |
49 | if serialized | 43 | if serialized |
50 | puts field | 44 | puts field |
51 | self[field].each_key { |key| | 45 | self[field].each_key { |key| |
52 | key = key.to_sym | 46 | key = key.to_sym |
53 | - self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 47 | + self[field][key] = sanitizer.sanitize(self[field][key], encode_special_chars: false, scrubber: permit_scrubber ) |
54 | } | 48 | } |
55 | else | 49 | else |
56 | if self[field] | 50 | if self[field] |
57 | - self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 51 | + self[field] = sanitizer.sanitize(self[field], encode_special_chars: false, scrubber: permit_scrubber ) |
58 | else | 52 | else |
59 | value = self.send("#{field}") | 53 | value = self.send("#{field}") |
60 | return unless value | 54 | return unless value |
61 | - value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes) | 55 | + value = sanitizer.sanitize(value, encode_special_chars: false, scrubber: permit_scrubber) |
62 | self.send("#{field}=", value) | 56 | self.send("#{field}=", value) |
63 | end | 57 | end |
64 | end | 58 | end |
65 | end | 59 | end |
66 | 60 | ||
61 | + def permit_scrubber | ||
62 | + scrubber = Rails::Html::PermitScrubber.new | ||
63 | + scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags | ||
64 | + scrubber.attributes = Rails.application.config.action_view.sanitized_allowed_attributes | ||
65 | + scrubber | ||
66 | + end | ||
67 | + | ||
67 | def sanitize_columns(with = :full) | 68 | def sanitize_columns(with = :full) |
68 | columns_serialized = self.class.serialized_attributes.keys | 69 | columns_serialized = self.class.serialized_attributes.keys |
69 | only = eval "xss_terminate_#{with}_options[:only]" | 70 | only = eval "xss_terminate_#{with}_options[:only]" |
@@ -75,27 +76,20 @@ module XssTerminate | @@ -75,27 +76,20 @@ module XssTerminate | ||
75 | end | 76 | end |
76 | 77 | ||
77 | def sanitize_fields_with_full | 78 | def sanitize_fields_with_full |
78 | - sanitizer = Rails::Html::FullSanitizer.new | ||
79 | - columns, columns_serialized = sanitize_columns(:full) | ||
80 | - columns.each do |column| | ||
81 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
82 | - end | 79 | + sanitize_fields_with(Rails::Html::FullSanitizer.new,:full) |
83 | end | 80 | end |
84 | 81 | ||
85 | def sanitize_fields_with_white_list | 82 | def sanitize_fields_with_white_list |
86 | - sanitizer = Rails::Html::WhiteListSanitizer.new | ||
87 | - columns, columns_serialized = sanitize_columns(:white_list) | ||
88 | - columns.each do |column| | ||
89 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
90 | - end | ||
91 | - end | 83 | + sanitize_fields_with(Rails::Html::WhiteListSanitizer.new,:white_list) |
84 | + end | ||
92 | 85 | ||
93 | def sanitize_fields_with_html5lib | 86 | def sanitize_fields_with_html5lib |
94 | - sanitizer = HTML5libSanitize.new | ||
95 | - columns = sanitize_columns(:html5lib) | ||
96 | - columns.each do |column| | ||
97 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | ||
98 | - end | 87 | + sanitize_fields_with(HTML5libSanitize.new,:html5lib) |
88 | + end | ||
89 | + | ||
90 | + def sanitize_fields_with sanitizer, type | ||
91 | + columns, columns_serialized = sanitize_columns(type) | ||
92 | + columns.each {|column| sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))} | ||
99 | end | 93 | end |
100 | 94 | ||
101 | end | 95 | end |