Commit 7c655652d42e7d40539cc64ad4abf44bf6d98663
Committed by
Antonio Terceiro
Antonio Terceiro
1 parent
08f085e6
Exists in
master
and in
28 other branches
not sanitize target attribute from tag <a>
Showing
2 changed files
with
7 additions
and
1 deletions
Show diff stats
config/environment.rb
| ... | ... | @@ -78,7 +78,7 @@ Rails::Initializer.run do |config| |
| 78 | 78 | } |
| 79 | 79 | |
| 80 | 80 | # Adds custom attributes to the Set of allowed html attributes for the #sanitize helper |
| 81 | - config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style' | |
| 81 | + config.action_view.sanitized_allowed_attributes = 'align', 'border', 'alt', 'vspace', 'hspace', 'width', 'heigth', 'value', 'type', 'data', 'style', 'target' | |
| 82 | 82 | |
| 83 | 83 | # Adds custom tags to the Set of allowed html tags for the #sanitize helper |
| 84 | 84 | config.action_view.sanitized_allowed_tags = 'object', 'embed', 'param' | ... | ... |
test/unit/tiny_mce_article_test.rb
| ... | ... | @@ -26,4 +26,10 @@ class TinyMceArticleTest < Test::Unit::TestCase |
| 26 | 26 | assert_includes Article.find_by_contents('article'), tma |
| 27 | 27 | end |
| 28 | 28 | |
| 29 | + should 'not sanitize target attribute' do | |
| 30 | + ze = create_user('zezinho').person | |
| 31 | + article = TinyMceArticle.create!(:name => 'open link in new window', :body => "open <a href='www.invalid.com' target='_blank'>link</a> in new window", :profile => ze) | |
| 32 | + assert_tag_in_string article.body, :tag => 'a', :attributes => {:target => '_blank'} | |
| 33 | + end | |
| 34 | + | |
| 29 | 35 | end | ... | ... |