[Git][noosfero/noosfero][master] 2 commits: sanitize_link: use tags/attributes instead of scrubbs

Rodrigo Souto gitlab at mg.gitlab.com
Fri Oct 28 16:08:38 BRST 2016 

Rodrigo Souto pushed to branch master at Noosfero / noosfero


Commits:
38e11dd0 by Rodrigo Souto at 2016-10-27T16:36:47-03:00
sanitize_link: use tags/attributes instead of scrubbs

- - - - -
e7204f47 by Rodrigo Souto at 2016-10-28T18:08:04+00:00
Merge branch 'sanitize-link' into 'master'

sanitize_link: use tags/attributes instead of scrubbs

See merge request !1037
- - - - -


2 changed files:

- app/helpers/sanitize_helper.rb
- + test/unit/sanitize_helper_test.rb


Changes:

=====================================
app/helpers/sanitize_helper.rb
=====================================
--- a/app/helpers/sanitize_helper.rb
+++ b/app/helpers/sanitize_helper.rb
@@ -5,11 +5,19 @@ module SanitizeHelper
   end
 
   def sanitize_link(text)
-      sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber)
+      sanitizer(:white_list).sanitize(text, tags: allowed_tags, attributes: allowed_attributes)
   end
 
 protected
 
+  def allowed_tags
+    Rails.application.config.action_view.sanitized_allowed_tags
+  end
+
+  def allowed_attributes
+    Rails.application.config.action_view.sanitized_allowed_attributes
+  end
+
   def permit_scrubber
       scrubber = Rails::Html::PermitScrubber.new
       scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags


=====================================
test/unit/sanitize_helper_test.rb
=====================================
--- /dev/null
+++ b/test/unit/sanitize_helper_test.rb
@@ -0,0 +1,10 @@
+require_relative "../test_helper"
+
+class SanitizeHelperTest < ActionView::TestCase
+
+  should 'permit white_list attributes on links' do
+    allowed_attributes.each do |attribute|
+      assert_match /#{attribute}/, sanitize_link("<a #{attribute.to_sym}='value' />")
+    end
+  end
+end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/9e05ff8348d46ce67673bd06614dcc779acacecf...e7204f479362c2ebebedc493787bda8826ff5b9a
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20161028/900487be/attachment-0001.html>

More information about the Noosfero-dev mailing list