[Git][noosfero/noosfero][master] 2 commits: metadata: marks urls as html safe
Bráulio Bhavamitra
gitlab at gitlab.com
Fri Aug 21 09:43:39 BRT 2015
Bráulio Bhavamitra pushed to branch master at Noosfero / noosfero
Commits:
8235fc9d by Braulio Bhavamitra at 2015-08-13T14:05:48Z
metadata: marks urls as html safe
- - - - -
e1d56f4b by Bráulio Bhavamitra at 2015-08-21T12:43:24Z
Merge branch 'metadata-plugin' into 'master'
metadata: marks urls as html safe
This also fix a core bug of double escaping urls.
See merge request !653
- - - - -
9 changed files:
- app/models/article.rb
- plugins/metadata/lib/ext/article.rb
- plugins/metadata/lib/ext/product.rb
- plugins/metadata/lib/ext/profile.rb
- plugins/metadata/lib/ext/uploaded_file.rb
- plugins/metadata/lib/metadata_plugin/base.rb
- plugins/metadata/lib/metadata_plugin/url_helper.rb
- plugins/metadata/test/functional/content_viewer_controller_test.rb
- test/unit/article_test.rb
Changes:
=====================================
app/models/article.rb
=====================================
--- a/app/models/article.rb
+++ b/app/models/article.rb
@@ -743,9 +743,10 @@ class Article < ActiveRecord::Base
end
def body_images_paths
- require 'uri'
Nokogiri::HTML.fragment(self.body.to_s).css('img[src]').collect do |i|
- (self.profile && self.profile.environment) ? URI.join(self.profile.environment.top_url, URI.escape(i['src'])).to_s : i['src']
+ src = i['src']
+ src = URI.escape src if self.new_record? # xss_terminate runs on save
+ (self.profile && self.profile.environment) ? URI.join(self.profile.environment.top_url, src).to_s : src
end
end
=====================================
plugins/metadata/lib/ext/article.rb
=====================================
--- a/plugins/metadata/lib/ext/article.rb
+++ b/plugins/metadata/lib/ext/article.rb
@@ -12,9 +12,9 @@ class Article
end,
title: proc{ |a, plugin| "#{a.title} - #{a.profile.name}" },
image: proc do |a, plugin|
- img = a.body_images_paths
- img = "#{a.profile.environment.top_url}#{a.profile.image.public_filename}" if a.profile.image if img.blank?
- img ||= MetadataPlugin.config[:open_graph][:environment_logo] rescue nil if img.blank?
+ img = a.body_images_paths.map! &:html_safe
+ img = "#{a.profile.environment.top_url}#{a.profile.image.public_filename}".html_safe if a.profile.image if img.blank?
+ img ||= MetadataPlugin.config[:open_graph][:environment_logo].html_safe rescue nil if img.blank?
img
end,
see_also: [],
@@ -31,10 +31,10 @@ class Article
card: 'summary',
description: proc do |a, plugin|
description = a.body.to_s || a.environment.name
- CGI.escapeHTML(plugin.helpers.truncate(plugin.helpers.strip_tags(description), length: 200))
+ plugin.helpers.truncate plugin.helpers.strip_tags(description), length: 200
end,
title: proc{ |a, plugin| "#{a.title} - #{a.profile.name}" },
- image: proc{ |a, plugin| a.body_images_paths },
+ image: proc{ |a, plugin| a.body_images_paths.map! &:html_safe },
}
metadata_spec namespace: :article, key_attr: :property, tags: {
=====================================
plugins/metadata/lib/ext/product.rb
=====================================
--- a/plugins/metadata/lib/ext/product.rb
+++ b/plugins/metadata/lib/ext/product.rb
@@ -14,8 +14,8 @@ class Product
description: proc{ |p, plugin| ActionView::Base.full_sanitizer.sanitize p.description },
image: proc do |p, plugin|
- img = "#{p.environment.top_url}#{p.image.public_filename}" if p.image
- img = "#{p.environment.top_url}#{p.profile.image.public_filename}" if img.blank? and p.profile.image
+ img = "#{p.environment.top_url}#{p.image.public_filename}".html_safe if p.image
+ img = "#{p.environment.top_url}#{p.profile.image.public_filename}".html_safe if img.blank? and p.profile.image
img ||= MetadataPlugin.config[:open_graph][:environment_logo] rescue nil if img.blank?
img
end,
=====================================
plugins/metadata/lib/ext/profile.rb
=====================================
--- a/plugins/metadata/lib/ext/profile.rb
+++ b/plugins/metadata/lib/ext/profile.rb
@@ -5,8 +5,8 @@ class Profile
metadata_spec namespace: :og, tags: {
type: proc{ |p, plugin| plugin.context.params[:og_type] || MetadataPlugin.og_types[:profile] || :profile },
image: proc do |p, plugin|
- img = "#{p.environment.top_url}#{p.image.public_filename}" if p.image
- img ||= MetadataPlugin.config[:open_graph][:environment_logo] rescue nil if img.blank?
+ img = "#{p.environment.top_url}#{p.image.public_filename}".html_safe if p.image
+ img ||= MetadataPlugin.config[:open_graph][:environment_logo].html_safe rescue nil if img.blank?
img
end,
title: proc{ |p, plugin| if p.nickname.present? then p.nickname else p.name end },
=====================================
plugins/metadata/lib/ext/uploaded_file.rb
=====================================
--- a/plugins/metadata/lib/ext/uploaded_file.rb
+++ b/plugins/metadata/lib/ext/uploaded_file.rb
@@ -13,7 +13,7 @@ class UploadedFile
plugin.og_url_for url
end,
title: proc{ |u, plugin| u.title },
- image: proc{ |u, plugin| "#{u.environment.top_url}#{u.public_filename}" if u.image? },
+ image: proc{ |u, plugin| "#{u.environment.top_url}#{u.public_filename}".html_safe if u.image? },
description: proc{ |u, plugin| u.abstract || u.title },
}
=====================================
plugins/metadata/lib/metadata_plugin/base.rb
=====================================
--- a/plugins/metadata/lib/metadata_plugin/base.rb
+++ b/plugins/metadata/lib/metadata_plugin/base.rb
@@ -50,7 +50,8 @@ class MetadataPlugin::Base < Noosfero::Plugin
Array(values).each do |value|
value = value.call(object, plugin) if value.is_a? Proc rescue nil
next if value.blank?
- r << tag(:meta, key_attr => key, value_attr => CGI.escape_html(value.to_s))
+ value = h value unless value.html_safe?
+ r << tag(:meta, {key_attr => key, value_attr => value.to_s}, false, false)
end
end
end
=====================================
plugins/metadata/lib/metadata_plugin/url_helper.rb
=====================================
--- a/plugins/metadata/lib/metadata_plugin/url_helper.rb
+++ b/plugins/metadata/lib/metadata_plugin/url_helper.rb
@@ -7,7 +7,8 @@ module MetadataPlugin::UrlHelper
def og_url_for options
options.delete :port
options[:host] = self.og_domain
- Noosfero::Application.routes.url_helpers.url_for options
+ url = Noosfero::Application.routes.url_helpers.url_for options
+ url.html_safe
end
def og_profile_url profile
=====================================
plugins/metadata/test/functional/content_viewer_controller_test.rb
=====================================
--- a/plugins/metadata/test/functional/content_viewer_controller_test.rb
+++ b/plugins/metadata/test/functional/content_viewer_controller_test.rb
@@ -48,6 +48,14 @@ class ContentViewerControllerTest < ActionController::TestCase
assert_tag tag: 'meta', attributes: { property: 'og:image', content: /\/images\/x.png/ }
end
+ should 'escape utf8 characters correctly' do
+ a = TinyMceArticle.create(name: 'Article to be shared with images', body: 'This article should be shared with all social networks <img src="/images/ç.png" />', profile: profile)
+
+ get :view_page, profile: profile.identifier, page: [ a.name.to_slug ]
+ assert_tag tag: 'meta', attributes: { property: 'og:image', content: /\/images\/%C3%A7.png/ }
+ end
+
+
should 'render not_found page properly' do
assert_equal false, Article.exists?(:slug => 'non-existing-page')
assert_nothing_raised do
=====================================
test/unit/article_test.rb
=====================================
--- a/test/unit/article_test.rb
+++ b/test/unit/article_test.rb
@@ -1497,6 +1497,17 @@ class ArticleTest < ActiveSupport::TestCase
assert_includes a.body_images_paths, 'http://test.com/noosfero.png'
end
+ should 'escape utf8 characters correctly' do
+ Environment.any_instance.stubs(:default_hostname).returns('noosfero.org')
+ a = build TinyMceArticle, profile: @profile
+ a.body = 'Noosfero <img src="http://noosfero.com/cabeça.png" /> '
+ assert_includes a.body_images_paths, 'http://noosfero.com/cabe%C3%A7a.png'
+
+ # check if after save (that is, after xss_terminate run)
+ a.save!
+ assert_includes a.body_images_paths, 'http://noosfero.com/cabe%C3%A7a.png'
+ end
+
should 'get absolute images paths in article body' do
Environment.any_instance.stubs(:default_hostname).returns('noosfero.org')
a = build TinyMceArticle, :profile => @profile
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/1cc6c42276a2c2bcc1faad02c7693fd1f77f647a...e1d56f4be78aa13f5dc7a200e72095d56322d81c
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150821/3515948e/attachment-0001.html>
More information about the Noosfero-dev
mailing list