[Git][noosfero/noosfero][stable-1.6] 2 commits: Merge branch 'sanitize-link' into 'master'

Rodrigo Souto gitlab at mg.gitlab.com
Fri Oct 28 16:51:46 BRST 2016 

Rodrigo Souto pushed to branch stable-1.6 at Noosfero / noosfero


Commits:
d38d234e by Rodrigo Souto at 2016-10-28T18:30:55+00:00
Merge branch 'sanitize-link' into 'master'

sanitize_link: use tags/attributes instead of scrubbs

See merge request !1037
- - - - -
6beaf0d6 by Rodrigo Souto at 2016-10-28T18:51:35+00:00
Merge branch 'cherry-pick-e7204f47' into 'stable-1.6'

Merge branch 'sanitize-link' into 'master'

sanitize_link: use tags/attributes instead of scrubbs

See merge request !1037

See merge request !1039
- - - - -


2 changed files:

- app/helpers/sanitize_helper.rb
- + test/unit/sanitize_helper_test.rb


Changes:

=====================================
app/helpers/sanitize_helper.rb
=====================================
--- a/app/helpers/sanitize_helper.rb
+++ b/app/helpers/sanitize_helper.rb
@@ -5,11 +5,19 @@ module SanitizeHelper
   end
 
   def sanitize_link(text)
-      sanitizer(:white_list).sanitize(text, scrubber:permit_scrubber)
+      sanitizer(:white_list).sanitize(text, tags: allowed_tags, attributes: allowed_attributes)
   end
 
 protected
 
+  def allowed_tags
+    Rails.application.config.action_view.sanitized_allowed_tags
+  end
+
+  def allowed_attributes
+    Rails.application.config.action_view.sanitized_allowed_attributes
+  end
+
   def permit_scrubber
       scrubber = Rails::Html::PermitScrubber.new
       scrubber.tags = Rails.application.config.action_view.sanitized_allowed_tags


=====================================
test/unit/sanitize_helper_test.rb
=====================================
--- /dev/null
+++ b/test/unit/sanitize_helper_test.rb
@@ -0,0 +1,10 @@
+require_relative "../test_helper"
+
+class SanitizeHelperTest < ActionView::TestCase
+
+  should 'permit white_list attributes on links' do
+    allowed_attributes.each do |attribute|
+      assert_match /#{attribute}/, sanitize_link("<a #{attribute.to_sym}='value' />")
+    end
+  end
+end



View it on GitLab: https://gitlab.com/noosfero/noosfero/compare/5f8cdba9fd83a634ce9d591fd37c57aaff87d23f...6beaf0d6059d48fe09043a202fa7c6eb5ddb32cc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/noosfero-dev/attachments/20161028/183b1e59/attachment-0001.html>

More information about the Noosfero-dev mailing list