Fix XSS terminate removing custom attributes for Macros

Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>

Fix XSS terminate removing custom attributes for Macros
Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>
Tallys Martins
1 parent 17a72997
Showing 1 changed file with 13 additions and 3 deletions Show diff stats
vendor/plugins/xss_terminate/lib/xss_terminate.rb
 module XssTerminate
+  ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
+  ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
   def self.sanitize_by_default=(value)
     @@sanitize_by_default = value
@@ -38,21 +40,29 @@ module XssTerminate
   module InstanceMethods
+    def sanitize_allowed_attributes
+      ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
+    end
+
+    def sanitize_custom_options
+      {:attributes => sanitize_allowed_attributes}
+    end
+
     def sanitize_field(sanitizer, field, serialized = false)
       field = field.to_sym
       if serialized
         puts field
         self[field].each_key { |key|
           key = key.to_sym
-          self[field][key] = sanitizer.sanitize(self[field][key])
+          self[field][key] = sanitizer.sanitize(self[field][key], sanitize_custom_options)
         }
       else
         if self[field]
-          self[field] = sanitizer.sanitize(self[field])
+          self[field] = sanitizer.sanitize(self[field], sanitize_custom_options)
         else
           value = self.send("#{field}")
           return unless value
-          value = sanitizer.sanitize(value)
+          value = sanitizer.sanitize(value, sanitize_custom_options)
           self.send("#{field}=", value)
         end
       end