[Git][noosfero/noosfero][master] 2 commits: Fix XSS terminate removing custom attributes for Macros

Rodrigo Souto gitlab at mg.gitlab.com
Tue Dec 15 15:01:34 BRST 2015 

Rodrigo Souto pushed to branch master at Noosfero / noosfero


Commits:
fcce10fe by Tallys Martins at 2015-12-14T18:24:57Z
Fix XSS terminate removing custom attributes for Macros

Signed-off-by: Pedro de Lyra <pedrodelyra at gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo at colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins at yahoo.com.br>

- - - - -
568d29ce by Rodrigo Souto at 2015-12-15T17:01:04Z
Merge branch 'xss_terminate_custom_options' into 'master'

Fix XSS terminate removing custom attributes for Macros

Signed-off-by: Pedro de Lyra <pedrodelyra at gmail.com>
Signed-off-by: Rodrigo Souto <rodrigo at colivre.coop.br>
Signed-off-by: Tallys Martins <tallysmartins at yahoo.com.br>

See merge request !748
- - - - -


1 changed file:

- vendor/plugins/xss_terminate/lib/xss_terminate.rb


Changes:

=====================================
vendor/plugins/xss_terminate/lib/xss_terminate.rb
=====================================
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -1,4 +1,6 @@
 module XssTerminate
+  ALLOWED_CORE_ATTRIBUTES = %w(name href cite class title src xml:lang height datetime alt abbr width)
+  ALLOWED_CUSTOM_ATTRIBUTES = %w(data-macro)
 
   def self.sanitize_by_default=(value)
     @@sanitize_by_default = value
@@ -38,21 +40,25 @@ module XssTerminate
 
   module InstanceMethods
 
+    def sanitize_allowed_attributes
+      ALLOWED_CORE_ATTRIBUTES | ALLOWED_CUSTOM_ATTRIBUTES
+    end
+
     def sanitize_field(sanitizer, field, serialized = false)
       field = field.to_sym
       if serialized
         puts field
         self[field].each_key { |key|
           key = key.to_sym
-          self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
         }
       else
         if self[field]
-          self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
         else
           value = self.send("#{field}")
           return unless value
-          value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
+          value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false, attributes: sanitize_allowed_attributes)
           self.send("#{field}=", value)
         end
       end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/7816909c0de56e6558d0e450189aa29d4b3a4f6f...568d29ce8251d3ffd3443c8e632fb7c75ceeaf06
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151215/4d5b7417/attachment.html>

More information about the Noosfero-dev mailing list