Download as
Browse Code »

Commit e4246f5fc71ddd43709a6568cd4e53c2f6c4b3da

Authored by Victor Costa
1 parent 0e46219f
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

rails3: set allowed tags for sanitization 

Also enable white list monkey patch to unescape html comments.
Showing 3 changed files with 9 additions and 19 deletions   Show diff stats
config/application.rb
  Diff comments   View file @e4246f5
... ... @@ -19,6 +19,12 @@ module Noosfero
19 19  
20 20 require 'noosfero/plugin'
21 21  
  22 + # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper
  23 + config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay'
  24 +
  25 + # Adds custom tags to the Set of allowed html tags for the #sanitize helper
  26 + config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source'
  27 +
22 28 # Settings in config/environments/* take precedence over those specified here.
23 29 # Application configuration should go into files in config/initializers
24 30 # -- all .rb files in that directory are automatically loaded.
... ...
vendor/plugins/monkey_patches/init.rb
  Diff comments   View file @e4246f5
1 1 require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init')
2 2 require File.join(File.dirname(__FILE__), 'attachment_fu/init')
  3 +require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init')
... ...
vendor/plugins/monkey_patches/white_list_sanitizer_unescape_before_reescape/init.rb
  Diff comments   View file @e4246f5
1   -# monkey patch to fix WhiteListSanitizer bug
2   -# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for
3   -#
4   -# this was solved in rails 2.2.1, then remove this patch when upgrade to it
  1 +# encoding: utf-8
5 2  
6 3 HTML::WhiteListSanitizer.module_eval do
7 4  
  5 + #unescape html comments
8 6 def sanitize_with_filter_fixes(*args, &block)
9 7 text = sanitize_without_filter_fixes(*args, &block)
10 8 if text
... ... @@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do
17 15 end
18 16 alias_method_chain :sanitize, :filter_fixes
19 17  
20   - # unescape before reescape to avoid:
21   - # & -> & -> & -> & -> & -> etc
22   - protected
23   - def process_attributes_for(node, options)
24   - return unless node.attributes
25   - node.attributes.keys.each do |attr_name|
26   - value = node.attributes[attr_name].to_s
27   -
28   - if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
29   - node.attributes.delete(attr_name)
30   - else
31   - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&', '&'))
32   - end
33   - end
34   - end
35 18 end
... ...