Download as
Browse Code »

Commit 03c411eb6321e90b3c1a9405a36d2d50fb2728fa

Authored by Daniela Feitosa
Committed by Antonio Terceiro
1 parent 030dc146
Exists in master and in 28 other branches 1.2+SPB2, 2_split_by_role, add_fields_in_api, api_fixies, api_pagination, api_private_token, api_tasks, article_hit_count, blog_page_bug, checkbox_to_user_can_edit_page, communities_ratings, communities_ratings_moderation, community_ratings_rebase, fix_cloned_article_parent, fix_gallery_image_url, fix_javascript_categories, fix_optional_fields, fix_suggest_article, fix_user_email_validation, highlight_block_fix, notification_plugin, notification_plugin_rebase, script_to_update, split_by_role, stable, temp_ratings, tests, tests_fixies

ActionItem1227: not allowing link to javascript on linkblock

Showing 2 changed files with 19 additions and 1 deletions   Show diff stats
app/models/link_list_block.rb
  Diff comments   View file @03c411e
@@ -49,7 +49,9 @@ class LinkListBlock < Block @@ -49,7 +49,9 @@ class LinkListBlock < Block
49 49
50 def link_html(link) 50 def link_html(link)
51 klass = 'icon-' + link[:icon] if link[:icon] 51 klass = 'icon-' + link[:icon] if link[:icon]
52 - link_to(link[:name], expand_address(link[:address]), :class => klass) 52 + sanitize_link(
  53 + link_to(link[:name], expand_address(link[:address]), :class => klass)
  54 + )
53 end 55 end
54 56
55 def expand_address(address) 57 def expand_address(address)
@@ -71,4 +73,10 @@ class LinkListBlock < Block @@ -71,4 +73,10 @@ class LinkListBlock < Block
71 end 73 end
72 end 74 end
73 75
  76 + private
  77 +
  78 + def sanitize_link(text)
  79 + sanitizer = HTML::WhiteListSanitizer.new
  80 + sanitizer.sanitize(text)
  81 + end
74 end 82 end
test/unit/link_list_block_test.rb
  Diff comments   View file @03c411e
@@ -57,4 +57,14 @@ class LinkListBlockTest < ActiveSupport::TestCase @@ -57,4 +57,14 @@ class LinkListBlockTest < ActiveSupport::TestCase
57 assert_no_match /class="/, l.link_html({:icon => nil, :name => 'test', :address => 'test.com'}) 57 assert_no_match /class="/, l.link_html({:icon => nil, :name => 'test', :address => 'test.com'})
58 end 58 end
59 59
  60 + should 'not add link to javascript' do
  61 + l = LinkListBlock.new(:links => [{:name => 'link', :address => "javascript:alert('Message test')"}])
  62 + assert_no_match /javascript/, l.link_html(l.links.first)
  63 + end
  64 +
  65 + should 'not add link to onclick' do
  66 + l = LinkListBlock.new(:links => [{:name => 'link', :address => "#\" onclick=\"alert(123456)"}])
  67 + assert_no_match /onclick/, l.link_html(l.links.first)
  68 + end
  69 +
60 end 70 end