Download as
Browse Code »

Commit f30fb2164bd28b162f6f9635918b4350e5579a37

Authored by Daniela Feitosa
Committed by Antonio Terceiro
1 parent 6ae03d55
Exists in master and in 29 other branches add_member_task_reject_details, admin_visible_profile, article-list-template, community_notifications, contact_admin_translation, event_fixes, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, noosfero_spb_ci, organization_ratings_improvements, organization_ratings_link_to_profile_stable-spb-1.3, organization_ratings_translations_fix, profile_api_improvements, ratings_minor_fixes, remote_user_fix, send_email_to_admins, stable-spb-1.3, stable-spb-1.3-fixes, stable-spb-1.4, stable-spb-1.5, suggest_rejected_value, web_steps_improvements, xss_terminate_custom_options

ActionItem1216: unescaped html comment tags on articles 

* monkey patch in the plugin init
Showing 3 changed files with 20 additions and 3 deletions   Show diff stats
test/unit/text_article_test.rb
  Diff comments   View file @f30fb21
@@ -19,5 +19,11 @@ class TextArticleTest < Test::Unit::TestCase @@ -19,5 +19,11 @@ class TextArticleTest < Test::Unit::TestCase
19 article = TextileArticle.create!(:name => 'found article test', :profile => person) 19 article = TextileArticle.create!(:name => 'found article test', :profile => person)
20 assert_equal TextileArticle.find_by_contents('found'), TextArticle.find_by_contents('found') 20 assert_equal TextileArticle.find_by_contents('found'), TextArticle.find_by_contents('found')
21 end 21 end
22 - 22 +
  23 + should 'remove comments from TextArticle body' do
  24 + person = create_user('testuser').person
  25 + article = TextArticle.create!(:profile => person, :name => 'article', :body => "the <!-- comment --> article ...")
  26 + assert_equal "the article ...", article.body
  27 + end
  28 +
23 end 29 end
test/unit/tiny_mce_article_test.rb
  Diff comments   View file @f30fb21
@@ -35,8 +35,12 @@ class TinyMceArticleTest &lt; Test::Unit::TestCase @@ -35,8 +35,12 @@ class TinyMceArticleTest &lt; Test::Unit::TestCase
35 should 'not translate & to amp; over times' do 35 should 'not translate & to amp; over times' do
36 article = TinyMceArticle.create!(:name => 'link', :body => "<a href='www.invalid.com?param1=value&param2=value'>link</a>", :profile => profile) 36 article = TinyMceArticle.create!(:name => 'link', :body => "<a href='www.invalid.com?param1=value&param2=value'>link</a>", :profile => profile)
37 assert article.save 37 assert article.save
38 - assert_no_match /&amp;amp;/, article.body  
39 - assert_match /&amp;/, article.body 38 + assert_no_match(/&amp;amp;/, article.body)
  39 + assert_match(/&amp;/, article.body)
40 end 40 end
41 41
  42 + should 'not escape comments from tiny mce article body' do
  43 + article = TinyMceArticle.create!(:profile => profile, :name => 'article', :abstract => 'abstract', :body => "the <!-- comment --> article ...")
  44 + assert_equal "the <!-- comment --> article ...", article.body
  45 + end
42 end 46 end
vendor/plugins/white_list_sanitizer_unescape_before_reescape/init.rb
  Diff comments   View file @f30fb21
@@ -4,6 +4,13 @@ @@ -4,6 +4,13 @@
4 # this was solved in rails 2.2.1, then remove this patch when upgrade to it 4 # this was solved in rails 2.2.1, then remove this patch when upgrade to it
5 5
6 HTML::WhiteListSanitizer.module_eval do 6 HTML::WhiteListSanitizer.module_eval do
  7 +
  8 + def sanitize_with_filter_comments(*args, &block)
  9 + text = sanitize_without_filter_comments(*args, &block)
  10 + text.gsub(/&lt;!--/, '<!--') if text
  11 + end
  12 + alias_method_chain :sanitize, :filter_comments
  13 +
7 # unescape before reescape to avoid: 14 # unescape before reescape to avoid:
8 # & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc 15 # & -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc
9 protected 16 protected