[Git][noosfero/noosfero][master] 2 commits: Fix XSS terminate removing custom attributes for Macros
Rodrigo Souto
gitlab at mg.gitlab.com
Tue Dec 15 15:01:34 BRST 2015
Rodrigo Souto pushed to branch master at Noosfero / noosfero
Commits:
fcce10fe by Tallys Martins at 2015-12-14T18:24:57Z
Fix XSS terminate removing custom attributes for Macros
Signed-off-by: Pedro de Lyra <pedrodelyra at gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo at colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins at yahoo.com.br>
- - - - -
568d29ce by Rodrigo Souto at 2015-12-15T17:01:04Z
Merge branch 'xss_terminate_custom_options' into 'master'
Fix XSS terminate removing custom attributes for Macros
Signed-off-by: Pedro de Lyra <pedrodelyra at gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo at colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins at yahoo.com.br>
See merge request !748
- - - - -
1 changed file:
- vendor/plugins/xss_terminate/lib/xss_terminate.rb
Changes:
=====================================
vendor/plugins/xss_terminate/lib/xss_terminate.rb
=====================================
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -1,4 +1,6 @@
module XssTerminate
+ ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
+ ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
def self.sanitize_by_default=(value)
@@sanitize_by_default = value
@@ -38,21 +40,25 @@ module XssTerminate
module InstanceMethods
+ def sanitize_allowed_attributes
+ ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
+ end
+
def sanitize_field(sanitizer, field, serialized = false)
field = field.to_sym
if serialized
puts field
self[field].each_key { |key|
key = key.to_sym
- self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+ self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
}
else
if self[field]
- self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+ self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
else
value = self.send("#{field}")
return unless value
- value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+ value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
self.send("#{field}=", value)
end
end
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/7816909c0de56e6558d0e450189aa29d4b3a4f6f...568d29ce8251d3ffd3443c8e632fb7c75ceeaf06
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151215/4d5b7417/attachment.html>
More information about the Noosfero-dev
mailing list