Fix XSS terminate removing custom attributes for Macros

Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>

Fix XSS terminate removing custom attributes for Macros
Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com> Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br> Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>
Tallys Martins
1 parent 6d69da64
Showing 1 changed file with 9 additions and 3 deletions Show diff stats
vendor/plugins/xss_terminate/lib/xss_terminate.rb
 module XssTerminate
+  ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
+  ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
  
   def self.sanitize_by_default=(value)
     @@sanitize_by_default = value
@@ -38,21 +40,25 @@ module XssTerminate
  
   module InstanceMethods
  
+    def sanitize_allowed_attributes
+      ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
+    end
+
     def sanitize_field(sanitizer, field, serialized = false)
       field = field.to_sym
       if serialized
         puts field
         self[field].each_key { |key|
           key = key.to_sym
-          self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
         }
       else
         if self[field]
-          self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
         else
           value = self.send("#{field}")
           return unless value
-          value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
           self.send("#{field}=", value)
         end
       end
1	1	module XssTerminate
	2	+ ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
	3	+ ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
2	4
3	5	def self.sanitize_by_default=(value)
4	6	@@sanitize_by_default = value
...	...	@@ -38,21 +40,25 @@ module XssTerminate
38	40
39	41	module InstanceMethods
40	42
	43	+ def sanitize_allowed_attributes
	44	+ ALLOWED_CORE_ATTRIBUTES \| ALLOWED_CUSTOM_ATTRIBUTES
	45	+ end
	46	+
41	47	def sanitize_field(sanitizer, field, serialized = false)
42	48	field = field.to_sym
43	49	if serialized
44	50	puts field
45	51	self[field].each_key { \|key\|
46	52	key = key.to_sym
47		- self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
	53	+ self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
48	54	}
49	55	else
50	56	if self[field]
51		- self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
	57	+ self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
52	58	else
53	59	value = self.send("#{field}")
54	60	return unless value
55		- value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
	61	+ value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
56	62	self.send("#{field}=", value)
57	63	end
58	64	end
...	...