Download as
Browse Code »

Commit 71a1ced2cd7ae1d16659d7b583cbf1581c23776b

Authored by Leandro Santos
Committed by Antonio Terceiro
1 parent de606257
Exists in master and in 20 other branches add_member_task_reject_details, admin_visible_profile, community_notifications, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, organization_ratings_improvements, profile_api_improvements, ratings_minor_fixes, send_email_to_admins, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

avoid sanitizer to encode special chars

Showing 3 changed files with 7 additions and 27 deletions   Show diff stats
config/initializers/sanitizer.rb
  Diff comments   View file @71a1ced
@@ -12,24 +12,3 @@ Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[ @@ -12,24 +12,3 @@ Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[
12 style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan 12 style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan
13 ] 13 ]
14 14
15 -# do not escape COMMENT_NODE  
16 -require 'loofah/scrubber'  
17 -module Loofah  
18 - class Scrubber  
19 - private  
20 -  
21 - def html5lib_sanitize node  
22 - case node.type  
23 - when Nokogiri::XML::Node::ELEMENT_NODE  
24 - if HTML5::Scrub.allowed_element? node.name  
25 - HTML5::Scrub.scrub_attributes node  
26 - return Scrubber::CONTINUE  
27 - end  
28 - when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE  
29 - return Scrubber::CONTINUE  
30 - end  
31 - Scrubber::STOP  
32 - end  
33 -  
34 - end  
35 -end  
test/unit/comment_test.rb
  Diff comments   View file @71a1ced
@@ -188,7 +188,8 @@ class CommentTest < ActiveSupport::TestCase @@ -188,7 +188,8 @@ class CommentTest < ActiveSupport::TestCase
188 owner = create_user('testuser').person 188 owner = create_user('testuser').person
189 article = owner.articles.create!(:name => 'test', :body => '...') 189 article = owner.articles.create!(:name => 'test', :body => '...')
190 javascript = "<script>alert('XSS')</script>" 190 javascript = "<script>alert('XSS')</script>"
191 - comment = create(Comment, :article => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker@test.org') 191 + comment = Comment.new(:source => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker@test.org')
  192 + comment.valid?
192 assert_no_match(/<script>/, comment.name) 193 assert_no_match(/<script>/, comment.name)
193 end 194 end
194 195
vendor/plugins/xss_terminate/lib/xss_terminate.rb
  Diff comments   View file @71a1ced
@@ -44,15 +44,15 @@ module XssTerminate @@ -44,15 +44,15 @@ module XssTerminate
44 puts field 44 puts field
45 self[field].each_key { |key| 45 self[field].each_key { |key|
46 key = key.to_sym 46 key = key.to_sym
47 - self[field][key] = sanitizer.sanitize(self[field][key]) 47 + self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
48 } 48 }
49 else 49 else
50 if self[field] 50 if self[field]
51 - self[field] = sanitizer.sanitize(self[field]) 51 + self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
52 else 52 else
53 value = self.send("#{field}") 53 value = self.send("#{field}")
54 return unless value 54 return unless value
55 - value = sanitizer.sanitize(value) 55 + value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
56 self.send("#{field}=", value) 56 self.send("#{field}=", value)
57 end 57 end
58 end 58 end
@@ -69,7 +69,7 @@ module XssTerminate @@ -69,7 +69,7 @@ module XssTerminate
69 end 69 end
70 70
71 def sanitize_fields_with_full 71 def sanitize_fields_with_full
72 - sanitizer = ActionView::Base.full_sanitizer 72 + sanitizer = Rails::Html::FullSanitizer.new
73 columns, columns_serialized = sanitize_columns(:full) 73 columns, columns_serialized = sanitize_columns(:full)
74 columns.each do |column| 74 columns.each do |column|
75 sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) 75 sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
@@ -77,7 +77,7 @@ module XssTerminate @@ -77,7 +77,7 @@ module XssTerminate
77 end 77 end
78 78
79 def sanitize_fields_with_white_list 79 def sanitize_fields_with_white_list
80 - sanitizer = ActionView::Base.white_list_sanitizer 80 + sanitizer = Rails::Html::WhiteListSanitizer.new
81 columns, columns_serialized = sanitize_columns(:white_list) 81 columns, columns_serialized = sanitize_columns(:white_list)
82 columns.each do |column| 82 columns.each do |column|
83 sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column)) 83 sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))