Commit 688faaee41448c11504adb3e94ab4d63413b7ffa
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
52b58187
Exists in
master
and in
29 other branches
Fields verification filters malformed html correctly
* The field verification now occurs before de validation. * Fields that uses the full filter escape residual '<' and '>' after filtering wellformed tags. * Fields that uses white_list filter only escape the '<' and '>' symbols if the tag is not wellformed. * This patch only fixes the fields that were before being filtered. A full field verification is need to check the way each field must be filtered. (ActionItem1491)
Showing
26 changed files
with
273 additions
and
33 deletions
Show diff stats
app/models/article.rb
| ... | ... | @@ -26,7 +26,7 @@ class Article < ActiveRecord::Base |
| 26 | 26 | article.published_at = article.created_at if article.published_at.nil? |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | - xss_terminate :only => [ :name ] | |
| 29 | + xss_terminate :only => [ :name ], :on => 'validation' | |
| 30 | 30 | |
| 31 | 31 | named_scope :in_category, lambda { |category| |
| 32 | 32 | {:include => 'categories', :conditions => { 'categories.id' => category.id }} | ... | ... |
app/models/comment.rb
app/models/community.rb
| ... | ... | @@ -5,8 +5,6 @@ class Community < Organization |
| 5 | 5 | settings_items :language |
| 6 | 6 | settings_items :zip_code, :city, :state, :country |
| 7 | 7 | |
| 8 | - xss_terminate :only => [ :name, :address, :contact_phone, :description ] | |
| 9 | - | |
| 10 | 8 | before_create do |community| |
| 11 | 9 | community.moderated_articles = true if community.environment.enabled?('organizations_are_moderated_by_default') |
| 12 | 10 | end |
| ... | ... | @@ -22,6 +20,8 @@ class Community < Organization |
| 22 | 20 | community |
| 23 | 21 | end |
| 24 | 22 | |
| 23 | + xss_terminate :only => [ :name, :address, :contact_phone, :description ], :on => 'validation' | |
| 24 | + | |
| 25 | 25 | FIELDS = %w[ |
| 26 | 26 | city |
| 27 | 27 | state | ... | ... |
app/models/consumption.rb
| ... | ... | @@ -4,6 +4,6 @@ class Consumption < ActiveRecord::Base |
| 4 | 4 | |
| 5 | 5 | validates_uniqueness_of :product_category_id, :scope => :profile_id |
| 6 | 6 | |
| 7 | - xss_terminate :only => [ :aditional_specifications ] | |
| 7 | + xss_terminate :only => [ :aditional_specifications ], :on => 'validation' | |
| 8 | 8 | |
| 9 | 9 | end | ... | ... |
app/models/environment.rb
| ... | ... | @@ -471,7 +471,7 @@ class Environment < ActiveRecord::Base |
| 471 | 471 | |
| 472 | 472 | validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |record| ! record.contact_email.blank? }) |
| 473 | 473 | |
| 474 | - xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list' | |
| 474 | + xss_terminate :only => [ :message_for_disabled_enterprise ], :with => 'white_list', :on => 'validation' | |
| 475 | 475 | |
| 476 | 476 | |
| 477 | 477 | # ################################################# | ... | ... |
app/models/event.rb
| ... | ... | @@ -6,7 +6,8 @@ class Event < Article |
| 6 | 6 | settings_items :link, :type => :string |
| 7 | 7 | settings_items :address, :type => :string |
| 8 | 8 | |
| 9 | - xss_terminate :only => [ :description, :link, :address ], :with => 'white_list' | |
| 9 | + xss_terminate :only => [ :link ], :on => 'validation' | |
| 10 | + xss_terminate :only => [ :description, :link, :address ], :with => 'white_list', :on => 'validation' | |
| 10 | 11 | |
| 11 | 12 | validates_presence_of :title, :start_date |
| 12 | 13 | ... | ... |
app/models/folder.rb
| ... | ... | @@ -4,7 +4,7 @@ class Folder < Article |
| 4 | 4 | |
| 5 | 5 | settings_items :view_as, :type => :string, :default => 'folder' |
| 6 | 6 | |
| 7 | - xss_terminate :only => [ :body ], :with => 'white_list' | |
| 7 | + xss_terminate :only => [ :body ], :with => 'white_list', :on => 'validation' | |
| 8 | 8 | |
| 9 | 9 | def self.select_views |
| 10 | 10 | [[_('Folder'), 'folder'], [_('Image gallery'), 'image_gallery']] | ... | ... |
app/models/organization.rb
| ... | ... | @@ -77,7 +77,7 @@ class Organization < Profile |
| 77 | 77 | |
| 78 | 78 | validates_format_of :contact_email, :with => Noosfero::Constants::EMAIL_FORMAT, :if => (lambda { |org| !org.contact_email.blank? }) |
| 79 | 79 | |
| 80 | - xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ] | |
| 80 | + xss_terminate :only => [ :acronym, :contact_person, :contact_email, :legal_form, :economic_activity, :management_information ], :on => 'validation' | |
| 81 | 81 | |
| 82 | 82 | # Yes, organizations have members. |
| 83 | 83 | # | ... | ... |
app/models/product.rb
| ... | ... | @@ -31,7 +31,7 @@ class Product < ActiveRecord::Base |
| 31 | 31 | |
| 32 | 32 | acts_as_searchable :fields => [ :name, :description, :category_full_name ] |
| 33 | 33 | |
| 34 | - xss_terminate :only => [ :name, :description ] | |
| 34 | + xss_terminate :only => [ :name, :description ], :on => 'validation' | |
| 35 | 35 | |
| 36 | 36 | acts_as_mappable |
| 37 | 37 | ... | ... |
app/models/profile.rb
| ... | ... | @@ -294,8 +294,8 @@ class Profile < ActiveRecord::Base |
| 294 | 294 | self.save_without_validation! |
| 295 | 295 | end |
| 296 | 296 | |
| 297 | - xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ] | |
| 298 | - xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list' | |
| 297 | + xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation' | |
| 298 | + xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation' | |
| 299 | 299 | |
| 300 | 300 | # returns the contact email for this profile. |
| 301 | 301 | # | ... | ... |
app/models/text_article.rb
app/models/tiny_mce_article.rb
| ... | ... | @@ -9,6 +9,6 @@ class TinyMceArticle < TextArticle |
| 9 | 9 | end |
| 10 | 10 | |
| 11 | 11 | xss_terminate :except => [ :abstract, :body ] |
| 12 | - xss_terminate :only => [ :abstract, :body ], :with => 'white_list' | |
| 12 | + xss_terminate :only => [ :abstract, :body ], :with => 'white_list', :on => 'validation' | |
| 13 | 13 | |
| 14 | 14 | end | ... | ... |
app/models/validation_info.rb
test/unit/article_test.rb
| ... | ... | @@ -859,4 +859,20 @@ class ArticleTest < Test::Unit::TestCase |
| 859 | 859 | assert_no_match /</, article.tags.last.name |
| 860 | 860 | end |
| 861 | 861 | |
| 862 | + should 'sanitize name before validation' do | |
| 863 | + article = Article.new | |
| 864 | + article.name = "<h1 Bla </h1>" | |
| 865 | + article.valid? | |
| 866 | + | |
| 867 | + assert article.errors.invalid?(:name) | |
| 868 | + end | |
| 869 | + | |
| 870 | + should 'escape malformed html tags' do | |
| 871 | + article = Article.new | |
| 872 | + article.name = "<h1 Malformed >> html >< tag" | |
| 873 | + article.valid? | |
| 874 | + | |
| 875 | + assert_no_match /[<>]/, article.name | |
| 876 | + end | |
| 877 | + | |
| 862 | 878 | end | ... | ... |
test/unit/comment_test.rb
| ... | ... | @@ -187,4 +187,26 @@ class CommentTest < Test::Unit::TestCase |
| 187 | 187 | assert_no_match(/<script>/, comment.name) |
| 188 | 188 | end |
| 189 | 189 | |
| 190 | + should 'sanitize required fields before validation' do | |
| 191 | + owner = create_user('testuser').person | |
| 192 | + article = owner.articles.create(:name => 'test', :body => '...') | |
| 193 | + comment = article.comments.new(:title => '<h1 title </h1>', :body => '<h1 body </h1>', :name => '<h1 name </h1>', :email => 'cracker@test.org') | |
| 194 | + comment.valid? | |
| 195 | + | |
| 196 | + assert comment.errors.invalid?(:name) | |
| 197 | + assert comment.errors.invalid?(:title) | |
| 198 | + assert comment.errors.invalid?(:body) | |
| 199 | + end | |
| 200 | + | |
| 201 | + should 'escape malformed html tags' do | |
| 202 | + owner = create_user('testuser').person | |
| 203 | + article = owner.articles.create(:name => 'test', :body => '...') | |
| 204 | + comment = article.comments.new(:title => '<h1 title </h1>>> sd f <<', :body => '<h1>> sdf><asd>< body </h1>', :name => '<h1 name </h1>>><<dfsf<sd', :email => 'cracker@test.org') | |
| 205 | + comment.valid? | |
| 206 | + | |
| 207 | + assert_no_match /[<>]/, comment.title | |
| 208 | + assert_no_match /[<>]/, comment.body | |
| 209 | + assert_no_match /[<>]/, comment.name | |
| 210 | + end | |
| 211 | + | |
| 190 | 212 | end | ... | ... |
test/unit/community_test.rb
| ... | ... | @@ -114,7 +114,7 @@ class CommunityTest < Test::Unit::TestCase |
| 114 | 114 | should 'require fields if community needs' do |
| 115 | 115 | e = Environment.default |
| 116 | 116 | e.expects(:required_community_fields).returns(['contact_phone']).at_least_once |
| 117 | - community = Community.new(:environment => e) | |
| 117 | + community = Community.new(:name => 'My community', :environment => e) | |
| 118 | 118 | assert ! community.valid? |
| 119 | 119 | assert community.errors.invalid?(:contact_phone) |
| 120 | 120 | |
| ... | ... | @@ -200,4 +200,19 @@ class CommunityTest < Test::Unit::TestCase |
| 200 | 200 | community.add_member(person) |
| 201 | 201 | end |
| 202 | 202 | end |
| 203 | + | |
| 204 | + should 'escape malformed html tags' do | |
| 205 | + community = Community.new | |
| 206 | + community.name = "<h1 Malformed >> html >< tag" | |
| 207 | + community.address = "<h1 Malformed >,<<<asfdf> html >< tag" | |
| 208 | + community.contact_phone = "<h1 Malformed<<> >> html >><>< tag" | |
| 209 | + community.description = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 210 | + community.valid? | |
| 211 | + | |
| 212 | + assert_no_match /[<>]/, community.name | |
| 213 | + assert_no_match /[<>]/, community.address | |
| 214 | + assert_no_match /[<>]/, community.contact_phone | |
| 215 | + assert_no_match /[<>]/, community.description | |
| 216 | + end | |
| 217 | + | |
| 203 | 218 | end | ... | ... |
test/unit/consumption_test.rb
| ... | ... | @@ -3,8 +3,12 @@ require File.dirname(__FILE__) + '/../test_helper' |
| 3 | 3 | class ConsumptionTest < Test::Unit::TestCase |
| 4 | 4 | fixtures :consumptions |
| 5 | 5 | |
| 6 | - # Replace this with your real tests. | |
| 7 | - def test_truth | |
| 8 | - assert true | |
| 6 | + should 'escape malformed html tags' do | |
| 7 | + consumption = Consumption.new | |
| 8 | + consumption.aditional_specifications = "<h1 Malformed >> html >< tag" | |
| 9 | + consumption.valid? | |
| 10 | + | |
| 11 | + assert_no_match /[<>]/, consumption.aditional_specifications | |
| 9 | 12 | end |
| 13 | + | |
| 10 | 14 | end | ... | ... |
test/unit/environment_test.rb
| ... | ... | @@ -863,4 +863,20 @@ class EnvironmentTest < Test::Unit::TestCase |
| 863 | 863 | assert_equal env.message_for_member_invitation, env.invitation_mail_template(community) |
| 864 | 864 | end |
| 865 | 865 | |
| 866 | + should 'filter fields with white_list filter' do | |
| 867 | + environment = Environment.new | |
| 868 | + environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise </h1>" | |
| 869 | + environment.valid? | |
| 870 | + | |
| 871 | + assert_equal "<h1> Disabled Enterprise </h1>", environment.message_for_disabled_enterprise | |
| 872 | + end | |
| 873 | + | |
| 874 | + should 'escape malformed html tags' do | |
| 875 | + environment = Environment.new | |
| 876 | + environment.message_for_disabled_enterprise = "<h1> Disabled Enterprise /h1>" | |
| 877 | + environment.valid? | |
| 878 | + | |
| 879 | + assert_no_match /[<>]/, environment.message_for_disabled_enterprise | |
| 880 | + end | |
| 881 | + | |
| 866 | 882 | end | ... | ... |
test/unit/event_test.rb
| ... | ... | @@ -222,4 +222,32 @@ class EventTest < ActiveSupport::TestCase |
| 222 | 222 | assert_not_includes profile.events.by_day(today), event_out_of_range |
| 223 | 223 | end |
| 224 | 224 | |
| 225 | + should 'filter fields with full filter' do | |
| 226 | + event = Event.new | |
| 227 | + event.link = "<h1 Malformed >> html >< tag" | |
| 228 | + event.valid? | |
| 229 | + | |
| 230 | + assert_no_match /[<>]/, event.link | |
| 231 | + end | |
| 232 | + | |
| 233 | + should 'filter fields with white_list filter' do | |
| 234 | + event = Event.new | |
| 235 | + event.description = "<h1> Description </h1>" | |
| 236 | + event.address = "<strong> Address <strong>" | |
| 237 | + event.valid? | |
| 238 | + | |
| 239 | + assert_equal "<h1> Description </h1>", event.description | |
| 240 | + assert_equal "<strong> Address <strong>", event.address | |
| 241 | + end | |
| 242 | + | |
| 243 | + should 'escape malformed html tags' do | |
| 244 | + event = Event.new | |
| 245 | + event.description = "<h1<< Description >>/h1>" | |
| 246 | + event.address = "<strong>><< Address <strong>" | |
| 247 | + event.valid? | |
| 248 | + | |
| 249 | + assert_no_match /[<>]/, event.description | |
| 250 | + assert_no_match /[<>]/, event.address | |
| 251 | + end | |
| 252 | + | |
| 225 | 253 | end | ... | ... |
test/unit/folder_test.rb
| ... | ... | @@ -125,17 +125,27 @@ class FolderTest < ActiveSupport::TestCase |
| 125 | 125 | end |
| 126 | 126 | |
| 127 | 127 | should 'not let pass javascript in the body' do |
| 128 | - owner = create_user('testuser').person | |
| 129 | - folder = fast_create(Folder, {:profile_id => owner.id, :body => '<script>alert("Xss Attack!")</script>'}) | |
| 130 | - folder.save! | |
| 131 | - assert_no_match(/<script>/, folder.body) | |
| 128 | + folder = Folder.new | |
| 129 | + folder.body = "<script> alert(Xss!); </script>" | |
| 130 | + folder.valid? | |
| 131 | + | |
| 132 | + assert_no_match /(<script>)/, folder.body | |
| 132 | 133 | end |
| 133 | 134 | |
| 134 | - should 'let pass html in the body' do | |
| 135 | - owner = create_user('testuser').person | |
| 136 | - folder = fast_create(Folder, {:profile_id => owner.id, :body => '<strong>I am not a Xss Attack!")</strong>'}) | |
| 137 | - folder.save! | |
| 138 | - assert_match(/<strong>/, folder.body) | |
| 135 | + should 'filter fields with white_list filter' do | |
| 136 | + folder = Folder.new | |
| 137 | + folder.body = "<h1> Body </h1>" | |
| 138 | + folder.valid? | |
| 139 | + | |
| 140 | + assert_equal "<h1> Body </h1>", folder.body | |
| 141 | + end | |
| 142 | + | |
| 143 | + should 'escape malformed html tags' do | |
| 144 | + folder = Folder.new | |
| 145 | + folder.body = "<h1<< Description >>/h1>" | |
| 146 | + folder.valid? | |
| 147 | + | |
| 148 | + assert_no_match /[<>]/, folder.body | |
| 139 | 149 | end |
| 140 | 150 | |
| 141 | 151 | end | ... | ... |
test/unit/organization_test.rb
| ... | ... | @@ -248,4 +248,24 @@ class OrganizationTest < Test::Unit::TestCase |
| 248 | 248 | |
| 249 | 249 | assert organization.closed |
| 250 | 250 | end |
| 251 | + | |
| 252 | + should 'escape malformed html tags' do | |
| 253 | + organization = Organization.new | |
| 254 | + organization.acronym = "<h1 Malformed >> html >< tag" | |
| 255 | + organization.contact_person = "<h1 Malformed >,<<<asfdf> html >< tag" | |
| 256 | + organization.contact_email = "<h1<malformed@html.com>>" | |
| 257 | + organization.description = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 258 | + organization.legal_form = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 259 | + organization.economic_activity = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 260 | + organization.management_information = "<h1 Malformed /h1>>><<> html ><>h1< tag" | |
| 261 | + organization.valid? | |
| 262 | + | |
| 263 | + assert_no_match /[<>]/, organization.acronym | |
| 264 | + assert_no_match /[<>]/, organization.contact_person | |
| 265 | + assert_no_match /[<>]/, organization.contact_email | |
| 266 | + assert_no_match /[<>]/, organization.legal_form | |
| 267 | + assert_no_match /[<>]/, organization.economic_activity | |
| 268 | + assert_no_match /[<>]/, organization.management_information | |
| 269 | + end | |
| 270 | + | |
| 251 | 271 | end | ... | ... |
test/unit/product_test.rb
| ... | ... | @@ -193,4 +193,22 @@ class ProductTest < Test::Unit::TestCase |
| 193 | 193 | end |
| 194 | 194 | end |
| 195 | 195 | |
| 196 | + should 'sanitize name before validation' do | |
| 197 | + product = Product.new | |
| 198 | + product.name = "<h1 Bla </h1>" | |
| 199 | + product.valid? | |
| 200 | + | |
| 201 | + assert product.errors.invalid?(:name) | |
| 202 | + end | |
| 203 | + | |
| 204 | + should 'escape malformed html tags' do | |
| 205 | + product = Product.new | |
| 206 | + product.name = "<h1 Malformed >> html >< tag" | |
| 207 | + product.description = "<h1 Malformed</h1>><<<a>> >> html >< tag" | |
| 208 | + product.valid? | |
| 209 | + | |
| 210 | + assert_no_match /[<>]/, product.name | |
| 211 | + assert_no_match /[<>]/, product.description | |
| 212 | + end | |
| 213 | + | |
| 196 | 214 | end | ... | ... |
test/unit/profile_test.rb
| ... | ... | @@ -1515,6 +1515,44 @@ class ProfileTest < Test::Unit::TestCase |
| 1515 | 1515 | assert profile.errors.invalid?(:description) |
| 1516 | 1516 | end |
| 1517 | 1517 | |
| 1518 | + should 'sanitize name before validation' do | |
| 1519 | + profile = Profile.new | |
| 1520 | + profile.name = "<h1 Bla </h1>" | |
| 1521 | + profile.valid? | |
| 1522 | + | |
| 1523 | + assert profile.errors.invalid?(:name) | |
| 1524 | + end | |
| 1525 | + | |
| 1526 | + should 'filter fields with white_list filter' do | |
| 1527 | + profile = Profile.new | |
| 1528 | + profile.custom_header = "<h1> Custom Header </h1>" | |
| 1529 | + profile.custom_footer = "<strong> Custom Footer <strong>" | |
| 1530 | + profile.valid? | |
| 1531 | + | |
| 1532 | + assert_equal "<h1> Custom Header </h1>", profile.custom_header | |
| 1533 | + assert_equal "<strong> Custom Footer <strong>", profile.custom_footer | |
| 1534 | + end | |
| 1535 | + | |
| 1536 | + should 'escape malformed html tags' do | |
| 1537 | + profile = Profile.new | |
| 1538 | + profile.name = "<h1 Malformed >> html >>></a>< tag" | |
| 1539 | + profile.nickname = "<h1 Malformed <<h1>>< html >< tag" | |
| 1540 | + profile.address = "<h1><</h2< Malformed >> html >< tag" | |
| 1541 | + profile.contact_phone = "<h1<< Malformed ><>>> html >< tag" | |
| 1542 | + profile.description = "<h1<a> Malformed >> html ></a>< tag" | |
| 1543 | + profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag" | |
| 1544 | + profile.custom_footer = "<h1> Malformed <><< html ></a>< tag" | |
| 1545 | + profile.valid? | |
| 1546 | + | |
| 1547 | + assert_no_match /[<>]/, profile.name | |
| 1548 | + assert_no_match /[<>]/, profile.nickname | |
| 1549 | + assert_no_match /[<>]/, profile.address | |
| 1550 | + assert_no_match /[<>]/, profile.contact_phone | |
| 1551 | + assert_no_match /[<>]/, profile.description | |
| 1552 | + assert_no_match /[<>]/, profile.custom_header | |
| 1553 | + assert_no_match /[<>]/, profile.custom_footer | |
| 1554 | + end | |
| 1555 | + | |
| 1518 | 1556 | private |
| 1519 | 1557 | |
| 1520 | 1558 | def assert_invalid_identifier(id) | ... | ... |
test/unit/text_article_test.rb
| ... | ... | @@ -26,4 +26,17 @@ class TextArticleTest < Test::Unit::TestCase |
| 26 | 26 | assert_equal "the article ...", article.body |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | + should 'escape malformed html tags' do | |
| 30 | + person = create_user('testuser').person | |
| 31 | + article = TextArticle.new(:profile => person) | |
| 32 | + article.name = "<h1 Malformed >> html >>></a>< tag" | |
| 33 | + article.abstract = "<h1 Malformed <<h1>>< html >< tag" | |
| 34 | + article.body = "<h1><</h2< Malformed >> html >< tag" | |
| 35 | + article.valid? | |
| 36 | + | |
| 37 | + assert_no_match /[<>]/, article.name | |
| 38 | + assert_no_match /[<>]/, article.abstract | |
| 39 | + assert_no_match /[<>]/, article.body | |
| 40 | + end | |
| 41 | + | |
| 29 | 42 | end | ... | ... |
test/unit/validation_info_test.rb
| ... | ... | @@ -21,4 +21,14 @@ class ValidationInfoTest < Test::Unit::TestCase |
| 21 | 21 | end |
| 22 | 22 | end |
| 23 | 23 | |
| 24 | + should 'escape malformed html tags' do | |
| 25 | + info = ValidationInfo.new | |
| 26 | + info.validation_methodology = "<h1 Malformed >> html >< tag" | |
| 27 | + info.restrictions = "<h1 Malformed >> html >< tag" | |
| 28 | + info.valid? | |
| 29 | + | |
| 30 | + assert_no_match /[<>]/, info.validation_methodology | |
| 31 | + assert_no_match /[<>]/, info.restrictions | |
| 32 | + end | |
| 33 | + | |
| 24 | 34 | end | ... | ... |
vendor/plugins/xss_terminate/lib/xss_terminate.rb
| ... | ... | @@ -38,7 +38,7 @@ module XssTerminate |
| 38 | 38 | |
| 39 | 39 | module InstanceMethods |
| 40 | 40 | |
| 41 | - def sanitize_field(sanitizer, field, serialized = false) | |
| 41 | + def sanitize_field(sanitizer, field, serialized = false, with= :full) | |
| 42 | 42 | field = field.to_sym |
| 43 | 43 | if serialized |
| 44 | 44 | puts field |
| ... | ... | @@ -49,8 +49,22 @@ module XssTerminate |
| 49 | 49 | else |
| 50 | 50 | if self[field] |
| 51 | 51 | self[field] = sanitizer.sanitize(self[field]) |
| 52 | + | |
| 53 | + if with == :full | |
| 54 | + self[field] = CGI.escapeHTML(self[field]) | |
| 55 | + elsif with == :white_list | |
| 56 | + self[field] = CGI.escapeHTML(self[field]) if !wellformed_html_tag?(self[field]) | |
| 57 | + end | |
| 58 | + | |
| 52 | 59 | else |
| 53 | 60 | self.send("#{field}=", sanitizer.sanitize(self.send("#{field}"))) |
| 61 | + | |
| 62 | + if with == :full | |
| 63 | + self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) | |
| 64 | + elsif with == :white_list | |
| 65 | + self.send("#{field}=", CGI.escapeHTML(self.send("#{field}"))) if !wellformed_html_tag?(self.send("#{field}")) | |
| 66 | + end | |
| 67 | + | |
| 54 | 68 | end |
| 55 | 69 | end |
| 56 | 70 | end |
| ... | ... | @@ -69,7 +83,7 @@ module XssTerminate |
| 69 | 83 | sanitizer = RailsSanitize.full_sanitizer |
| 70 | 84 | columns, columns_serialized = sanitize_columns(:full) |
| 71 | 85 | columns.each do |column| |
| 72 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 86 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :full) | |
| 73 | 87 | end |
| 74 | 88 | end |
| 75 | 89 | |
| ... | ... | @@ -77,18 +91,33 @@ module XssTerminate |
| 77 | 91 | sanitizer = RailsSanitize.white_list_sanitizer |
| 78 | 92 | columns, columns_serialized = sanitize_columns(:white_list) |
| 79 | 93 | columns.each do |column| |
| 80 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 94 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :white_list) | |
| 81 | 95 | end |
| 82 | - end | |
| 96 | + end | |
| 83 | 97 | |
| 84 | 98 | def sanitize_fields_with_html5lib |
| 85 | 99 | sanitizer = HTML5libSanitize.new |
| 86 | 100 | columns = sanitize_columns(:html5lib) |
| 87 | 101 | columns.each do |column| |
| 88 | - sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) | |
| 102 | + sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column), :html5lib) | |
| 89 | 103 | end |
| 90 | 104 | end |
| 91 | 105 | |
| 106 | + def wellformed_html_tag?(field) | |
| 107 | + return true if !field | |
| 108 | + | |
| 109 | + counter = 0 | |
| 110 | + field.split(//).each do |letter| | |
| 111 | + counter += 1 if letter == '<' | |
| 112 | + counter -= 1 if letter == '>' | |
| 113 | + if counter < 0 || 1 < counter | |
| 114 | + return false | |
| 115 | + end | |
| 116 | + end | |
| 117 | + | |
| 118 | + return counter == 0 | |
| 119 | + end | |
| 120 | + | |
| 92 | 121 | end |
| 93 | 122 | |
| 94 | 123 | end | ... | ... |