noosfero | Always sanitize HTML in header and footer
Antonio Terceiro
gitlab at gitlab.com
Wed Jan 28 16:47:49 BRST 2015
Antonio Terceiro pushed to refs/heads/master at <a href="https://gitlab.com/noosfero/noosfero">Noosfero / noosfero</a>
Commits:
<a href="https://gitlab.com/noosfero/noosfero/commit/7441ba6c92304870c6110814fd588718d6e7bde3">7441ba6c</a> by Antonio Terceiro
Always sanitize HTML in header and footer
- - - - -
Changes:
=====================================
app/models/profile.rb
=====================================
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -392,7 +392,7 @@ class Profile < ActiveRecord::Base
end
xss_terminate :only => [ :name, :nickname, :address, :contact_phone, :description ], :on => 'validation'
- xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list', :on => 'validation'
+ xss_terminate :only => [ :custom_footer, :custom_header ], :with => 'white_list'
include WhiteListFilter
filter_iframes :custom_header, :custom_footer
=====================================
test/unit/profile_test.rb
=====================================
--- a/test/unit/profile_test.rb
+++ b/test/unit/profile_test.rb
@@ -840,6 +840,14 @@ class ProfileTest < ActiveSupport::TestCase
assert_equal 'environment footer', profile.custom_footer
end
+ should 'sanitize custom header and footer' do
+ p = fast_create(Profile)
+ script_kiddie_code = '<script>alert("look mom, I am a hacker!")</script>'
+ p.update_header_and_footer(script_kiddie_code, script_kiddie_code)
+ assert_no_tag_in_string p.custom_header, tag: 'script'
+ assert_no_tag_in_string p.custom_footer, tag: 'script'
+ end
+
should 'store theme' do
p = build(Profile, :theme => 'my-shiny-theme')
assert_equal 'my-shiny-theme', p.theme
@@ -1555,8 +1563,6 @@ class ProfileTest < ActiveSupport::TestCase
profile.address = "<h1><</h2< Malformed >> html >< tag"
profile.contact_phone = "<h1<< Malformed ><>>> html >< tag"
profile.description = "<h1<a> Malformed >> html ></a>< tag"
- profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
- profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
profile.valid?
assert_no_match /[<>]/, profile.name
@@ -1568,6 +1574,16 @@ class ProfileTest < ActiveSupport::TestCase
assert_no_match /[<>]/, profile.custom_footer
end
+ should 'escape malformed html tags in header and footer' do
+ profile = fast_create(Profile)
+ profile.custom_header = "<h1<a>><<> Malformed >> html ></a>< tag"
+ profile.custom_footer = "<h1> Malformed <><< html ></a>< tag"
+ profile.save
+
+ assert_no_match /[<>]/, profile.custom_header
+ assert_no_match /[<>]/, profile.custom_footer
+ end
+
should 'not sanitize html comments' do
profile = Profile.new
profile.custom_header = '<p><!-- <asdf> << aasdfa >>> --> <h1> Wellformed html code </h1>'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20150128/5e188105/attachment.html>
More information about the Noosfero-dev
mailing list