Download as
Browse Code »

Commit fcce10fe70e737d7ca1fa67085aec026d7efb577

Authored by Tallys Martins
1 parent 6d69da64
Exists in master and in 19 other branches add_member_task_reject_details, admin_visible_profile, community_notifications, fix_comments_pagination, fix_rails4_organization_ratings, fix_sign_up_form, follow_step_fix, forum_topic_creation, mirror_block_improvements, multi_env_on_remote_user, new_security, organization_ratings_improvements, profile_api_improvements, ratings_minor_fixes, send_email_to_admins, stable-spb-1.4, stable-spb-1.5, web_steps_improvements, xss_terminate_custom_options

Fix XSS terminate removing custom attributes for Macros 

Signed-off-by: Pedro de Lyra <pedrodelyra@gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo@colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins@yahoo.com.br>
Showing 1 changed file with 9 additions and 3 deletions   Show diff stats
vendor/plugins/xss_terminate/lib/xss_terminate.rb
  Diff comments   View file @fcce10f
1 module XssTerminate 1 module XssTerminate
  2 + ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
  3 + ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
2 4
3 def self.sanitize_by_default=(value) 5 def self.sanitize_by_default=(value)
4 @@sanitize_by_default = value 6 @@sanitize_by_default = value
@@ -38,21 +40,25 @@ module XssTerminate @@ -38,21 +40,25 @@ module XssTerminate
38 40
39 module InstanceMethods 41 module InstanceMethods
40 42
  43 + def sanitize_allowed_attributes
  44 + ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
  45 + end
  46 +
41 def sanitize_field(sanitizer, field, serialized = false) 47 def sanitize_field(sanitizer, field, serialized = false)
42 field = field.to_sym 48 field = field.to_sym
43 if serialized 49 if serialized
44 puts field 50 puts field
45 self[field].each_key { |key| 51 self[field].each_key { |key|
46 key = key.to_sym 52 key = key.to_sym
47 - self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false) 53 + self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
48 } 54 }
49 else 55 else
50 if self[field] 56 if self[field]
51 - self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false) 57 + self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
52 else 58 else
53 value = self.send("#{field}") 59 value = self.send("#{field}")
54 return unless value 60 return unless value
55 - value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false) 61 + value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
56 self.send("#{field}=", value) 62 self.send("#{field}=", value)
57 end 63 end
58 end 64 end