diff --git a/app/models/tiny_mce_article.rb b/app/models/tiny_mce_article.rb index 63a1e08..e2880be 100644 --- a/app/models/tiny_mce_article.rb +++ b/app/models/tiny_mce_article.rb @@ -9,7 +9,7 @@ class TinyMceArticle < TextArticle def self.description _('Not accessible for visually impaired users.') end - + xss_terminate :only => [ ] xss_terminate :only => [ :name, :abstract, :body ], :with => 'white_list', :on => 'validation' diff --git a/config/application.rb b/config/application.rb index 355e954..b8bf489 100644 --- a/config/application.rb +++ b/config/application.rb @@ -15,12 +15,6 @@ module Noosfero require 'noosfero/plugin' - # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper - config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay', 'colspan', 'rowspan' - - # Adds custom tags to the Set of allowed html tags for the #sanitize helper - config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source' - config.action_controller.include_all_helpers = false # Settings in config/environments/* take precedence over those specified here. diff --git a/config/initializers/sanitizer.rb b/config/initializers/sanitizer.rb new file mode 100644 index 0000000..10ecf67 --- /dev/null +++ b/config/initializers/sanitizer.rb @@ -0,0 +1,35 @@ +require 'loofah/helpers' + +ActionView::Base.full_sanitizer = Loofah::Helpers::ActionView::FullSanitizer.new +ActionView::Base.white_list_sanitizer = Loofah::Helpers::ActionView::WhiteListSanitizer.new + +Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.merge %w[ + img object embed param table tr th td applet comment iframe audio video source +] + +Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[ + align border alt vspace hspace width heigth value type data + style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan +] + +# do not escape COMMENT_NODE +require 'loofah/scrubber' +module Loofah + class Scrubber + private + + def html5lib_sanitize node + case node.type + when Nokogiri::XML::Node::ELEMENT_NODE + if HTML5::Scrub.allowed_element? node.name + HTML5::Scrub.scrub_attributes node + return Scrubber::CONTINUE + end + when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE + return Scrubber::CONTINUE + end + Scrubber::STOP + end + + end +end diff --git a/test/test_helper.rb b/test/test_helper.rb index 8a2fdfd..6eaa95d 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -135,16 +135,23 @@ class ActiveSupport::TestCase assert !text.index('<'), "Text '#{text}' expected to be sanitized" end + def find_tag_in_string text, options + doc = Nokogiri::HTML.fragment text + tag = doc.css(options[:tag]).first + attributes = {}; tag.attributes.each do |a, v| + a = a.to_sym + next unless options[:attributes].has_key? a + attributes[a] = v.value + end + tag if (tag and attributes == options[:attributes]) + end + def assert_tag_in_string(text, options) - doc = HTML::Document.new(text, false, false) - tag = doc.find(options) - assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}" + assert find_tag_in_string(text, options), "expected tag #{options.inspect}, but not found in #{text.inspect}" end def assert_no_tag_in_string(text, options) - doc = HTML::Document.new(text, false, false) - tag = doc.find(options) - assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}" + assert !find_tag_in_string(text, options), "expected no tag #{options.inspect}, but tag found in #{text.inspect}" end def assert_order(reference, original) diff --git a/test/unit/article_test.rb b/test/unit/article_test.rb index 6c1e510..87ae564 100644 --- a/test/unit/article_test.rb +++ b/test/unit/article_test.rb @@ -935,7 +935,7 @@ class ArticleTest < ActiveSupport::TestCase article.name = "

> html >< tag" article.valid? - assert_no_match /[<>]/, article.name + assert_equal '

> html >

', article.name end should 'return truncated title in short_title' do @@ -1734,6 +1734,7 @@ class ArticleTest < ActiveSupport::TestCase should 'store first image in tracked action' do a = create TinyMceArticle, :name => 'Tracked Article', :body => '

FooBar

', :profile_id => profile.id + assert_equal 'foo.png', a.first_image assert_equal 'foo.png', ActionTracker::Record.last.get_first_image end diff --git a/test/unit/tiny_mce_article_test.rb b/test/unit/tiny_mce_article_test.rb index 96537c1..376e5a4 100644 --- a/test/unit/tiny_mce_article_test.rb +++ b/test/unit/tiny_mce_article_test.rb @@ -82,16 +82,16 @@ class TinyMceArticleTest < ActiveSupport::TestCase assert_no_tag_in_string article.body, :tag => 'iframe', :attributes => { :src => "http://untrusted_site.com/videos.ogg"} end - should 'remove iframe if it has 2 or more src' do + should 'consider first src if there is 2 or more src' do assert_includes Environment.default.trusted_sites_for_iframe, 'itheora.org' article = create(TinyMceArticle, :profile => profile, :name => 'article', :abstract => 'abstract', :body => "") - assert_equal '', article.body + assert_tag_in_string article.body, :tag => 'iframe', :attributes => { :src => "http://itheora.org/videos.ogg"} end should 'not sanitize html comments' do article = TinyMceArticle.new - article.body = '

Wellformed html code

' + article.body = '

Wellformed html code

' article.valid? assert_match /

Wellformed html code <\/h1>/, article.body @@ -232,7 +232,7 @@ end :profile => profile ) assert_tag_in_string article.body, :tag => 'table', - :attributes => { :colspan => 2, :rowspan => 3 } + :attributes => { :colspan => '2', :rowspan => '3' } end end -- libgit2 0.21.2