From 71a1ced2cd7ae1d16659d7b583cbf1581c23776b Mon Sep 17 00:00:00 2001 From: Leandro Nunes dos Santos Date: Fri, 13 Nov 2015 14:51:35 -0300 Subject: [PATCH] avoid sanitizer to encode special chars --- config/initializers/sanitizer.rb | 21 --------------------- test/unit/comment_test.rb | 3 ++- vendor/plugins/xss_terminate/lib/xss_terminate.rb | 10 +++++----- 3 files changed, 7 insertions(+), 27 deletions(-) diff --git a/config/initializers/sanitizer.rb b/config/initializers/sanitizer.rb index 10ecf67..fa62ce7 100644 --- a/config/initializers/sanitizer.rb +++ b/config/initializers/sanitizer.rb @@ -12,24 +12,3 @@ Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[ style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan ] -# do not escape COMMENT_NODE -require 'loofah/scrubber' -module Loofah - class Scrubber - private - - def html5lib_sanitize node - case node.type - when Nokogiri::XML::Node::ELEMENT_NODE - if HTML5::Scrub.allowed_element? node.name - HTML5::Scrub.scrub_attributes node - return Scrubber::CONTINUE - end - when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE - return Scrubber::CONTINUE - end - Scrubber::STOP - end - - end -end diff --git a/test/unit/comment_test.rb b/test/unit/comment_test.rb index 2c84232..a93cc85 100644 --- a/test/unit/comment_test.rb +++ b/test/unit/comment_test.rb @@ -188,7 +188,8 @@ class CommentTest < ActiveSupport::TestCase owner = create_user('testuser').person article = owner.articles.create!(:name => 'test', :body => '...') javascript = "" - comment = create(Comment, :article => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker@test.org') + comment = Comment.new(:source => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker@test.org') + comment.valid? assert_no_match(/