Commit e4246f5fc71ddd43709a6568cd4e53c2f6c4b3da
1 parent
0e46219f
Exists in
master
and in
29 other branches
rails3: set allowed tags for sanitization
Also enable white list monkey patch to unescape html comments.
Showing
3 changed files
with
9 additions
and
19 deletions
Show diff stats
config/application.rb
| @@ -19,6 +19,12 @@ module Noosfero | @@ -19,6 +19,12 @@ module Noosfero | ||
| 19 | 19 | ||
| 20 | require 'noosfero/plugin' | 20 | require 'noosfero/plugin' |
| 21 | 21 | ||
| 22 | + # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper | ||
| 23 | + config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay' | ||
| 24 | + | ||
| 25 | + # Adds custom tags to the Set of allowed html tags for the #sanitize helper | ||
| 26 | + config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source' | ||
| 27 | + | ||
| 22 | # Settings in config/environments/* take precedence over those specified here. | 28 | # Settings in config/environments/* take precedence over those specified here. |
| 23 | # Application configuration should go into files in config/initializers | 29 | # Application configuration should go into files in config/initializers |
| 24 | # -- all .rb files in that directory are automatically loaded. | 30 | # -- all .rb files in that directory are automatically loaded. |
vendor/plugins/monkey_patches/init.rb
| 1 | require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init') | 1 | require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init') |
| 2 | require File.join(File.dirname(__FILE__), 'attachment_fu/init') | 2 | require File.join(File.dirname(__FILE__), 'attachment_fu/init') |
| 3 | +require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init') |
vendor/plugins/monkey_patches/white_list_sanitizer_unescape_before_reescape/init.rb
| 1 | -# monkey patch to fix WhiteListSanitizer bug | ||
| 2 | -# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for | ||
| 3 | -# | ||
| 4 | -# this was solved in rails 2.2.1, then remove this patch when upgrade to it | 1 | +# encoding: utf-8 |
| 5 | 2 | ||
| 6 | HTML::WhiteListSanitizer.module_eval do | 3 | HTML::WhiteListSanitizer.module_eval do |
| 7 | 4 | ||
| 5 | + #unescape html comments | ||
| 8 | def sanitize_with_filter_fixes(*args, &block) | 6 | def sanitize_with_filter_fixes(*args, &block) |
| 9 | text = sanitize_without_filter_fixes(*args, &block) | 7 | text = sanitize_without_filter_fixes(*args, &block) |
| 10 | if text | 8 | if text |
| @@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do | @@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do | ||
| 17 | end | 15 | end |
| 18 | alias_method_chain :sanitize, :filter_fixes | 16 | alias_method_chain :sanitize, :filter_fixes |
| 19 | 17 | ||
| 20 | - # unescape before reescape to avoid: | ||
| 21 | - # & -> & -> & -> & -> & -> etc | ||
| 22 | - protected | ||
| 23 | - def process_attributes_for(node, options) | ||
| 24 | - return unless node.attributes | ||
| 25 | - node.attributes.keys.each do |attr_name| | ||
| 26 | - value = node.attributes[attr_name].to_s | ||
| 27 | - | ||
| 28 | - if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) | ||
| 29 | - node.attributes.delete(attr_name) | ||
| 30 | - else | ||
| 31 | - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&', '&')) | ||
| 32 | - end | ||
| 33 | - end | ||
| 34 | - end | ||
| 35 | end | 18 | end |