Commit 03c411eb6321e90b3c1a9405a36d2d50fb2728fa
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
030dc146
Exists in
master
and in
28 other branches
ActionItem1227: not allowing link to javascript on linkblock
Showing
2 changed files
with
19 additions
and
1 deletions
Show diff stats
app/models/link_list_block.rb
| ... | ... | @@ -49,7 +49,9 @@ class LinkListBlock < Block |
| 49 | 49 | |
| 50 | 50 | def link_html(link) |
| 51 | 51 | klass = 'icon-' + link[:icon] if link[:icon] |
| 52 | - link_to(link[:name], expand_address(link[:address]), :class => klass) | |
| 52 | + sanitize_link( | |
| 53 | + link_to(link[:name], expand_address(link[:address]), :class => klass) | |
| 54 | + ) | |
| 53 | 55 | end |
| 54 | 56 | |
| 55 | 57 | def expand_address(address) |
| ... | ... | @@ -71,4 +73,10 @@ class LinkListBlock < Block |
| 71 | 73 | end |
| 72 | 74 | end |
| 73 | 75 | |
| 76 | + private | |
| 77 | + | |
| 78 | + def sanitize_link(text) | |
| 79 | + sanitizer = HTML::WhiteListSanitizer.new | |
| 80 | + sanitizer.sanitize(text) | |
| 81 | + end | |
| 74 | 82 | end | ... | ... |
test/unit/link_list_block_test.rb
| ... | ... | @@ -57,4 +57,14 @@ class LinkListBlockTest < ActiveSupport::TestCase |
| 57 | 57 | assert_no_match /class="/, l.link_html({:icon => nil, :name => 'test', :address => 'test.com'}) |
| 58 | 58 | end |
| 59 | 59 | |
| 60 | + should 'not add link to javascript' do | |
| 61 | + l = LinkListBlock.new(:links => [{:name => 'link', :address => "javascript:alert('Message test')"}]) | |
| 62 | + assert_no_match /javascript/, l.link_html(l.links.first) | |
| 63 | + end | |
| 64 | + | |
| 65 | + should 'not add link to onclick' do | |
| 66 | + l = LinkListBlock.new(:links => [{:name => 'link', :address => "#\" onclick=\"alert(123456)"}]) | |
| 67 | + assert_no_match /onclick/, l.link_html(l.links.first) | |
| 68 | + end | |
| 69 | + | |
| 60 | 70 | end | ... | ... |