Commit e4246f5fc71ddd43709a6568cd4e53c2f6c4b3da

Authored by Victor Costa
1 parent 0e46219f

rails3: set allowed tags for sanitization

Also enable white list monkey patch to unescape html comments.
config/application.rb
@@ -19,6 +19,12 @@ module Noosfero @@ -19,6 +19,12 @@ module Noosfero
19 19
20 require 'noosfero/plugin' 20 require 'noosfero/plugin'
21 21
  22 + # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper
  23 + config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target', 'codebase', 'archive', 'classid', 'code', 'flashvars', 'scrolling', 'frameborder', 'controls', 'autoplay'
  24 +
  25 + # Adds custom tags to the Set of allowed html tags for the #sanitize helper
  26 + config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param', 'table', 'tr', 'th', 'td', 'applet', 'comment', 'iframe', 'audio', 'video', 'source'
  27 +
22 # Settings in config/environments/* take precedence over those specified here. 28 # Settings in config/environments/* take precedence over those specified here.
23 # Application configuration should go into files in config/initializers 29 # Application configuration should go into files in config/initializers
24 # -- all .rb files in that directory are automatically loaded. 30 # -- all .rb files in that directory are automatically loaded.
vendor/plugins/monkey_patches/init.rb
1 require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init') 1 require File.join(File.dirname(__FILE__), 'attachment_fu_validates_attachment/init')
2 require File.join(File.dirname(__FILE__), 'attachment_fu/init') 2 require File.join(File.dirname(__FILE__), 'attachment_fu/init')
  3 +require File.join(File.dirname(__FILE__), 'white_list_sanitizer_unescape_before_reescape/init')
vendor/plugins/monkey_patches/white_list_sanitizer_unescape_before_reescape/init.rb
1 -# monkey patch to fix WhiteListSanitizer bug  
2 -# http://apidock.com/rails/HTML/WhiteListSanitizer/process_attributes_for  
3 -#  
4 -# this was solved in rails 2.2.1, then remove this patch when upgrade to it 1 +# encoding: utf-8
5 2
6 HTML::WhiteListSanitizer.module_eval do 3 HTML::WhiteListSanitizer.module_eval do
7 4
  5 + #unescape html comments
8 def sanitize_with_filter_fixes(*args, &block) 6 def sanitize_with_filter_fixes(*args, &block)
9 text = sanitize_without_filter_fixes(*args, &block) 7 text = sanitize_without_filter_fixes(*args, &block)
10 if text 8 if text
@@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do @@ -17,19 +15,4 @@ HTML::WhiteListSanitizer.module_eval do
17 end 15 end
18 alias_method_chain :sanitize, :filter_fixes 16 alias_method_chain :sanitize, :filter_fixes
19 17
20 - # unescape before reescape to avoid:  
21 - # & -> & -> & -> & -> & -> etc  
22 - protected  
23 - def process_attributes_for(node, options)  
24 - return unless node.attributes  
25 - node.attributes.keys.each do |attr_name|  
26 - value = node.attributes[attr_name].to_s  
27 -  
28 - if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)  
29 - node.attributes.delete(attr_name)  
30 - else  
31 - node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value.gsub('&', '&'))  
32 - end  
33 - end  
34 - end  
35 end 18 end