[Git][noosfero/noosfero][master] 3 commits: newsletter: whitelist only text for article in newsletter

Antonio Terceiro gitlab at mg.gitlab.com
Thu Nov 12 11:30:37 BRST 2015 

Antonio Terceiro pushed to branch master at Noosfero / noosfero


Commits:
4075f24d by Larissa Reis at 2015-10-09T12:39:59Z
newsletter: whitelist only text for article in newsletter

  The only image for an article in the newsletter has to be the
  article's image. The lead for the article also can't have any
  paragraph or other crazy stuff.

  Instead of manually using gsub to remove undesired tags, I'm using
  ActionView::Helpers::SanitizeHelper#sanitize and whitelisting only
  tags for emphasis in text.

- - - - -
dcddcdea by Larissa Reis at 2015-10-09T12:39:59Z
newsletter: makes gap between tasks border and newsletter border smaller

- - - - -
ef77a138 by Antonio Terceiro at 2015-11-12T13:30:12Z
Merge branch 'newsletter-article-image' into 'master'

newsletter: remove unwanted tags from lead

Filter out image and other tags from newsletter articles's lead
since the only image for an article in the newsletter has to be the
article's image. The content in the lead can't have any type of
additional formatting in the newsletter's body. 

This also fixes the problem with not sanitizing p tags with any
attributes, like styles commonly added by tinymce.

See merge request !698
- - - - -


3 changed files:

- plugins/newsletter/lib/newsletter_plugin/newsletter.rb
- plugins/newsletter/public/style.css
- plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb


Changes:

=====================================
plugins/newsletter/lib/newsletter_plugin/newsletter.rb
=====================================
--- a/plugins/newsletter/lib/newsletter_plugin/newsletter.rb
+++ b/plugins/newsletter/lib/newsletter_plugin/newsletter.rb
@@ -123,11 +123,11 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord
   end
 
   def post_with_image(post)
-    content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info']))
+    content_tag(:tr,content_tag(:td,tag(:img, :src => "#{self.environment.top_url}#{post.image.public_filename(:big)}", :id => post.id),:style => CSS['post-image'])+content_tag(:td,content_tag(:span, show_date(post.published_at), :style => CSS['post-date'])+content_tag(:h3, link_to(h(post.title), post.url, :style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(190), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url), :style => CSS['post-info']))
   end
 
   def post_without_image(post)
-    content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info']))
+    content_tag(:tr, content_tag(:td,content_tag(:span, show_date(post.published_at),:style => CSS['post-date'], :id => post.id)+content_tag(:h3, link_to(h(post.title), post.url,:style => CSS['post-title']))+content_tag(:p,sanitize(post.lead(360), tags: %w(strong em b i)),:style => CSS['post-lead'])+read_more(post.url),:colspan => 2, :style => CSS['post-info']))
   end
 
   def body(data = {})
@@ -177,10 +177,6 @@ class NewsletterPlugin::Newsletter < Noosfero::Plugin::ActiveRecord
     last_mailing.nil? ? nil : last_mailing.created_at
   end
 
-  def sanitize(html)
-    html.gsub(/<\/?p>/, '')
-  end
-
   def has_posts_in_the_period?
     ! self.posts.empty?
   end


=====================================
plugins/newsletter/public/style.css
=====================================
--- a/plugins/newsletter/public/style.css
+++ b/plugins/newsletter/public/style.css
@@ -14,7 +14,7 @@
 }
 
 #newsletter-moderation-preview {
-  margin-left: 25px;
+  margin-left: 10px;
 }
 
 #newsletter-moderation-preview input[type=checkbox] {


=====================================
plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
=====================================
--- a/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
+++ b/plugins/newsletter/test/unit/newsletter_plugin_newsletter_test.rb
@@ -351,15 +351,30 @@ EOS
     post = fast_create(TextArticle, :parent_id => blog.id,
                 :name => 'the last news 1',
                 :profile_id => community.id,
-                :body => "<p>paragraph of news</p>")
+                :body => '<p style="text-align: left;">paragraph of news</p>')
 
     newsletter = NewsletterPlugin::Newsletter.create!(
       :environment => environment,
       :blog_ids => [blog.id],
       :person => fast_create(Person))
 
-    assert_match /<p>paragraph of news<\/p>/, post.body
-    assert_not_match /<p>paragraph of news<\/p>/, newsletter.body
+    assert_match /<p style="text-align: left;">paragraph of news<\/p>/, post.body
+    assert_not_match /<p style="text-align: left;">paragraph of news<\/p>/, newsletter.body
+  end
+
+  should 'only include text for posts in HTML generated content' do
+    environment = fast_create Environment
+    community = fast_create(Community, :environment_id => environment.id)
+    blog = fast_create(Blog, :profile_id => community.id)
+    post = fast_create(TextArticle, :profile_id => community.id, :parent_id => blog.id, :name => 'the last news', :abstract => 'A picture<img src="example.png"> is <em>worth</em> a thousand words. <hr><h1>The main goals of visualization</h1>')
+    newsletter = NewsletterPlugin::Newsletter.create!(
+      :environment => environment,
+      :blog_ids => [blog.id],
+      :person => fast_create(Person))
+
+    assert_match /A picture<img src="example.png"> is <em>worth<\/em> a thousand words. <hr><h1>The main goals of visualization<\/h1>/, post.abstract
+    # Tags for text emphasis are whitelisted
+    assert_match /A picture is <em>worth<\/em> a thousand words. The main goals of visualization/, newsletter.body
   end
 
   should 'filter posts when listing posts for newsletter' do



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/5641033f3e9ec66a0e09ba992c1704000388f9fa...ef77a1386c4618ef428e8e61c1dfc884fe2cbc30
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151112/8c827c2d/attachment-0001.html>

More information about the Noosfero-dev mailing list