[Git][noosfero/noosfero][master] 2 commits: avoid sanitizer to encode special chars
Antonio Terceiro
gitlab at mg.gitlab.com
Tue Nov 17 15:54:57 BRST 2015
Antonio Terceiro pushed to branch master at Noosfero / noosfero
Commits:
71a1ced2 by Leandro Nunes dos Santos at 2015-11-17T15:53:03Z
avoid sanitizer to encode special chars
- - - - -
4511d505 by Antonio Terceiro at 2015-11-17T15:53:42Z
Merge branch 'fix-html-sanitizer'
Replaces merge request !729
- - - - -
3 changed files:
- config/initializers/sanitizer.rb
- test/unit/comment_test.rb
- vendor/plugins/xss_terminate/lib/xss_terminate.rb
Changes:
=====================================
config/initializers/sanitizer.rb
=====================================
--- a/config/initializers/sanitizer.rb
+++ b/config/initializers/sanitizer.rb
@@ -12,24 +12,3 @@ Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES.merge %w[
style target codebase archive classid code flashvars scrolling frameborder controls autoplay colspan
]
-# do not escape COMMENT_NODE
-require 'loofah/scrubber'
-module Loofah
- class Scrubber
- private
-
- def html5lib_sanitize node
- case node.type
- when Nokogiri::XML::Node::ELEMENT_NODE
- if HTML5::Scrub.allowed_element? node.name
- HTML5::Scrub.scrub_attributes node
- return Scrubber::CONTINUE
- end
- when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE,Nokogiri::XML::Node::COMMENT_NODE
- return Scrubber::CONTINUE
- end
- Scrubber::STOP
- end
-
- end
-end
=====================================
test/unit/comment_test.rb
=====================================
--- a/test/unit/comment_test.rb
+++ b/test/unit/comment_test.rb
@@ -188,7 +188,8 @@ class CommentTest < ActiveSupport::TestCase
owner = create_user('testuser').person
article = owner.articles.create!(:name => 'test', :body => '...')
javascript = "<script>alert('XSS')</script>"
- comment = create(Comment, :article => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker at test.org')
+ comment = Comment.new(:source => article, :name => javascript, :title => javascript, :body => javascript, :email => 'cracker at test.org')
+ comment.valid?
assert_no_match(/<script>/, comment.name)
end
=====================================
vendor/plugins/xss_terminate/lib/xss_terminate.rb
=====================================
--- a/vendor/plugins/xss_terminate/lib/xss_terminate.rb
+++ b/vendor/plugins/xss_terminate/lib/xss_terminate.rb
@@ -44,15 +44,15 @@ module XssTerminate
puts field
self[field].each_key { |key|
key = key.to_sym
- self[field][key] = sanitizer.sanitize(self[field][key])
+ self[field][key] = sanitizer.sanitize(self[field][key], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
}
else
if self[field]
- self[field] = sanitizer.sanitize(self[field])
+ self[field] = sanitizer.sanitize(self[field], scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
else
value = self.send("#{field}")
return unless value
- value = sanitizer.sanitize(value)
+ value = sanitizer.sanitize(value, scrubber: Rails::Html::PermitScrubber.new, encode_special_chars: false)
self.send("#{field}=", value)
end
end
@@ -69,7 +69,7 @@ module XssTerminate
end
def sanitize_fields_with_full
- sanitizer = ActionView::Base.full_sanitizer
+ sanitizer = Rails::Html::FullSanitizer.new
columns, columns_serialized = sanitize_columns(:full)
columns.each do |column|
sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
@@ -77,7 +77,7 @@ module XssTerminate
end
def sanitize_fields_with_white_list
- sanitizer = ActionView::Base.white_list_sanitizer
+ sanitizer = Rails::Html::WhiteListSanitizer.new
columns, columns_serialized = sanitize_columns(:white_list)
columns.each do |column|
sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/de60625777cb216672291f175548139a93c275a2...4511d5059cc9e0a85b4e2af07b7ebf16bae3712a
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20151117/cd5a595b/attachment.html>
More information about the Noosfero-dev
mailing list