Commit e4246f5fc71ddd43709a6568cd4e53c2f6c4b3da
1 parent
0e46219f
Exists in
master
and in
29 other branches
rails3: set allowed tags for sanitization
Also enable white list monkey patch to unescape html comments.
Showing
3 changed files
with
9 additions
and
19 deletions
Show diff stats
config/application.rb
@@ -19,6 +19,12 @@ module Noosfero | @@ -19,6 +19,12 @@ module Noosfero | ||
19 | 19 | ||
20 | require 'noosfero/plugin' | 20 | require 'noosfero/plugin' |
21 | 21 | ||
22 | + # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper | ||
23 | + config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay' | ||
24 | + | ||
25 | + # Adds custom tags to the Set of allowed html tags for the #sanitize helper | ||
26 | + config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source' | ||
27 | + | ||
22 | # Settings in config/environments/* take precedence over those specified here. | 28 | # Settings in config/environments/* take precedence over those specified here. |
23 | # Application configuration should go into files in config/initializers | 29 | # Application configuration should go into files in config/initializers |
24 | # -- all .rb files in that directory are automatically loaded. | 30 | # -- all .rb files in that directory are automatically loaded. |
vendor/plugins/monkey_patches/init.rb
1 | require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init') | 1 | require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init') |
2 | require File.join(File.dirname(__FILE__), 'attachment_fu/init') | 2 | require File.join(File.dirname(__FILE__), 'attachment_fu/init') |
3 | +require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init') |
vendor/plugins/monkey_patches/white_list_sanitizer_unescape_before_reescape/init.rb
1 | -# monkey patch to fix WhiteListSanitizer bug | ||
2 | -# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for | ||
3 | -# | ||
4 | -# this was solved in rails 2.2.1, then remove this patch when upgrade to it | 1 | +# encoding: utf-8 |
5 | 2 | ||
6 | HTML::WhiteListSanitizer.module_eval do | 3 | HTML::WhiteListSanitizer.module_eval do |
7 | 4 | ||
5 | + #unescape html comments | ||
8 | def sanitize_with_filter_fixes(*args, &block) | 6 | def sanitize_with_filter_fixes(*args, &block) |
9 | text = sanitize_without_filter_fixes(*args, &block) | 7 | text = sanitize_without_filter_fixes(*args, &block) |
10 | if text | 8 | if text |
@@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do | @@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do | ||
17 | end | 15 | end |
18 | alias_method_chain :sanitize, :filter_fixes | 16 | alias_method_chain :sanitize, :filter_fixes |
19 | 17 | ||
20 | - # unescape before reescape to avoid: | ||
21 | - # & -> & -> & -> & -> & -> etc | ||
22 | - protected | ||
23 | - def process_attributes_for(node, options) | ||
24 | - return unless node.attributes | ||
25 | - node.attributes.keys.each do |attr_name| | ||
26 | - value = node.attributes[attr_name].to_s | ||
27 | - | ||
28 | - if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) | ||
29 | - node.attributes.delete(attr_name) | ||
30 | - else | ||
31 | - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&', '&')) | ||
32 | - end | ||
33 | - end | ||
34 | - end | ||
35 | end | 18 | end |