Download as
Browse Code »

Commit ed9643e652b61338ec94724cb18793dff80b7712

Authored by Tallys Martins
1 parent 17a72997
Exists in article-list-template

Fix XSS terminate removing custom attributes for Macros 

Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>
Showing 1 changed file with 13 additions and 3 deletions   Show diff stats
vendor/plugins/xss_terminate/lib/xss_terminate.rb
  Diff comments   View file @ed9643e
1 1 module XssTerminate
  2 + ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
  3 + ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
2 4  
3 5 def self.sanitize_by_default=(value)
4 6 @@sanitize_by_default = value
... ... @@ -38,21 +40,29 @@ module XssTerminate
38 40  
39 41 module InstanceMethods
40 42  
  43 + def sanitize_allowed_attributes
  44 + ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
  45 + end
  46 +
  47 + def sanitize_custom_options
  48 + {:attributes => sanitize_allowed_attributes}
  49 + end
  50 +
41 51 def sanitize_field(sanitizer, field, serialized = false)
42 52 field = field.to_sym
43 53 if serialized
44 54 puts field
45 55 self[field].each_key { |key|
46 56 key = key.to_sym
47   - self[field][key] = sanitizer.sanitize(self[field][key])
  57 + self[field][key] = sanitizer.sanitize(self[field][key], sanitize_custom_options)
48 58 }
49 59 else
50 60 if self[field]
51   - self[field] = sanitizer.sanitize(self[field])
  61 + self[field] = sanitizer.sanitize(self[field], sanitize_custom_options)
52 62 else
53 63 value = self.send("#{field}")
54 64 return unless value
55   - value = sanitizer.sanitize(value)
  65 + value = sanitizer.sanitize(value, sanitize_custom_options)
56 66 self.send("#{field}=", value)
57 67 end
58 68 end
... ...