From db65013977f059e29757ed115180fa43d43a5d67 Mon Sep 17 00:00:00 2001
From: Braulio Bhavamitra <braulio@eita.org.br>
Date: Wed, 8 Apr 2015 16:08:42 -0300
Subject: [PATCH] rails4: use new rails sanitizer (loofah)

---
 app/models/tiny_mce_article.rb     |  2 +-
 config/application.rb              |  6 ------
 config/initializers/sanitizer.rb   | 35 +++++++++++++++++++++++++++++++++++
 test/test_helper.rb                | 19 +++++++++++++------
 test/unit/article_test.rb          |  3 ++-
 test/unit/tiny_mce_article_test.rb |  8 ++++----
 6 files changed, 55 insertions(+), 18 deletions(-)
 create mode 100644 config/initializers/sanitizer.rb

diff --git a/app/models/tiny_mce_article.rb b/app/models/tiny_mce_article.rb
index 63a1e08..e2880be 100644
--- a/app/models/tiny_mce_article.rb
+++ b/app/models/tiny_mce_article.rb
@@ -9,7 +9,7 @@ class TinyMceArticle < TextArticle
   def self.description
     _('Not accessible for visually impaired users.')
   end
-  
+
   xss_terminate :only => [  ]
 
   xss_terminate :only => [ :name, :abstract, :body ], :with => 'white_list', :on => 'validation'
diff --git a/config/application.rb b/config/application.rb
index 355e954..b8bf489 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -15,12 +15,6 @@ module Noosfero
 
     require 'noosfero/plugin'
 
-    # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper
-    config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay', 'colspan', 'rowspan'
-
-    # Adds custom tags to the Set of allowed html tags for the #sanitize helper
-    config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source'
-
     config.action_controller.include_all_helpers = false
 
     # Settings in config/environments/* take precedence over those specified here.
diff --git a/config/initializers/sanitizer.rb b/config/initializers/sanitizer.rb
new file mode 100644
index 0000000..10ecf67
--- /dev/null
+++ b/config/initializers/sanitizer.rb
@@ -0,0 +1,35 @@
+require 'loofah/helpers'
+
+ActionView::Base.full_sanitizer = Loofah::Helpers::ActionView::FullSanitizer.new
+ActionView::Base.white_list_sanitizer = Loofah::Helpers::ActionView::WhiteListSanitizer.new
+
+Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.merge %w[
+  img object embed param table tr th td applet comment iframe audio video source
+]
+
+Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[
+  align border alt vspace hspace width heigth value type data
+  style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan
+]
+
+# do not escape COMMENT_NODE
+require 'loofah/scrubber'
+module Loofah
+  class Scrubber
+    private
+
+    def html5lib_sanitize node
+      case node.type
+      when Nokogiri::XML::Node::ELEMENT_NODE
+        if HTML5::Scrub.allowed_element? node.name
+          HTML5::Scrub.scrub_attributes node
+          return Scrubber::CONTINUE
+        end
+      when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE
+        return Scrubber::CONTINUE
+      end
+      Scrubber::STOP
+    end
+
+  end
+end
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 8a2fdfd..6eaa95d 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -135,16 +135,23 @@ class ActiveSupport::TestCase
     assert !text.index('<'), "Text '#{text}' expected to be sanitized"
   end
 
+  def find_tag_in_string text, options
+    doc = Nokogiri::HTML.fragment text
+    tag = doc.css(options[:tag]).first
+    attributes = {}; tag.attributes.each do |a, v|
+      a = a.to_sym
+      next unless options[:attributes].has_key? a
+      attributes[a] = v.value
+    end
+    tag if (tag and attributes == options[:attributes])
+  end
+
   def assert_tag_in_string(text, options)
-    doc = HTML::Document.new(text, false, false)
-    tag = doc.find(options)
-    assert tag, "expected tag #{options.inspect}, but not found in #{text.inspect}"
+    assert find_tag_in_string(text, options), "expected tag #{options.inspect}, but not found in #{text.inspect}"
   end
 
   def assert_no_tag_in_string(text, options)
-    doc = HTML::Document.new(text, false, false)
-    tag = doc.find(options)
-    assert !tag, "expected no tag #{options.inspect}, but tag found in #{text.inspect}"
+    assert !find_tag_in_string(text, options), "expected no tag #{options.inspect}, but tag found in #{text.inspect}"
   end
 
   def assert_order(reference, original)
diff --git a/test/unit/article_test.rb b/test/unit/article_test.rb
index 6c1e510..87ae564 100644
--- a/test/unit/article_test.rb
+++ b/test/unit/article_test.rb
@@ -935,7 +935,7 @@ class ArticleTest < ActiveSupport::TestCase
     article.name = "<h1 Malformed >> html >< tag"
     article.valid?
 
-    assert_no_match /[<>]/, article.name
+    assert_equal '<h1>&gt; html &gt;</h1>', article.name
   end
 
   should 'return truncated title in short_title' do
@@ -1734,6 +1734,7 @@ class ArticleTest < ActiveSupport::TestCase
 
   should 'store first image in tracked action' do
     a = create TinyMceArticle, :name => 'Tracked Article', :body => '<p>Foo<img src="foo.png" />Bar</p>', :profile_id => profile.id
+    assert_equal 'foo.png', a.first_image
     assert_equal 'foo.png', ActionTracker::Record.last.get_first_image
   end
 
diff --git a/test/unit/tiny_mce_article_test.rb b/test/unit/tiny_mce_article_test.rb
index 96537c1..376e5a4 100644
--- a/test/unit/tiny_mce_article_test.rb
+++ b/test/unit/tiny_mce_article_test.rb
@@ -82,16 +82,16 @@ class TinyMceArticleTest < ActiveSupport::TestCase
     assert_no_tag_in_string article.body, :tag => 'iframe', :attributes => { :src => "http://untrusted_site.com/videos.ogg"}
   end
 
-  should 'remove iframe if it has 2 or more src' do
+  should 'consider first src if there is 2 or more src' do
     assert_includes Environment.default.trusted_sites_for_iframe, 'itheora.org'
 
     article = create(TinyMceArticle, :profile => profile, :name => 'article', :abstract => 'abstract', :body => "<iframe src='http://itheora.org/videos.ogg' src='http://untrusted_site.com/videos.ogg'></iframe>")
-    assert_equal '', article.body
+    assert_tag_in_string article.body, :tag => 'iframe', :attributes => { :src => "http://itheora.org/videos.ogg"}
   end
 
   should 'not sanitize html comments' do
     article = TinyMceArticle.new
-    article.body = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
+    article.body = '<!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
     article.valid?
 
     assert_match  /<!-- .* --> <h1> Wellformed html code <\/h1>/, article.body
@@ -232,7 +232,7 @@ end
       :profile => profile
     )
     assert_tag_in_string article.body, :tag => 'table',
-      :attributes => { :colspan => 2, :rowspan => 3 }
+      :attributes => { :colspan => '2', :rowspan => '3' }
   end
 
 end
--
libgit2 0.21.2