@@ -1,13 +1,12 @@ class CommentDrop < BaseDrop include Mephisto::Liquid::UrlMethods - include WhiteListHelper timezone_dates :published_at, :created_at liquid_attributes.push(*[:author, :author_email, :author_ip, :title]) def initialize(source) super - @liquid.update 'is_approved' => @source.approved?, 'body' => white_list(@source.body_html) + @liquid.update 'is_approved' => @source.approved?, 'body' => ActionView::Base.white_list_sanitizer.sanitize(@source.body_html) end def author_url @@ -37,4 +36,4 @@ class CommentDrop < BaseDrop "by-user" end end -end \ No newline at end of file +end app/drops/comment_drop.rb @@ -75,9 +75,8 @@ module ApplicationHelper ['Expire 3 months after publishing', 90]] end - def sanitize_feed_content(html, sanitize_tables = false) - options = sanitize_tables ? {} : {:tags => %w(table thead tfoot tbody td tr th)} - returning h(white_list(html.strip, options)) do |html| + def sanitize_feed_content(html) + returning h(sanitize(html.strip)) do |html| html.gsub! /&amp;(#\d+);/ do |s| "&#{$1};" end app/helpers/application_helper.rb @@ -11,5 +11,5 @@ xm.entry 'xml:base' => home_url do xm.link "rel" => "alternate", "type" => "text/html", "href" => "http://#{request.host_with_port}#{relative_url_root}#{section_url_for article}" xm.title "Comment on '#{strip_tags(article.title)}' by #{comment.author}" - xm << %{<content type="html">#{sanitize_feed_content comment.body_html, true}</content>} + xm << %{<content type="html">#{sanitize_feed_content comment.body_html}</content>} end \ No newline at end of file app/views/feed/_comment.rxml @@ -10,5 +10,5 @@ xm.entry 'xml:base' => home_url do end xm.link "rel" => "alternate", "type" => "text/html", "href" => "http://#{request.host_with_port}#{site.permalink_for(article)}" xm.title "Comment on '#{strip_tags(article.title)}' by #{comment.author}" - xm << %{<content type="html">#{sanitize_feed_content comment.body_html, true}</content>} + xm << %{<content type="html">#{sanitize_feed_content comment.body_html}</content>} end \ No newline at end of file app/views/mephisto/_comment.rxml @@ -63,6 +63,9 @@ Rails::Initializer.run do |config| config.active_record.observers = [:article_observer, :comment_observer] end + # Allow table tags in untrusted HTML. + config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' + # We're slowly moving the contents of vendor and vender/plugins into # vendor/gems by adding config.gem declarations. config.gem 'RedCloth', :version => '3.0.4', :lib => 'redcloth' config/environment.rb @@ -4,8 +4,6 @@ end Liquid::For.send :include, Mephisto::Liquid::ForWithSorting -WhiteListHelper.tags.merge %w(table tr td) - class MissingTemplateError < StandardError attr_reader :template_type, :templates def initialize(template_type, templates) config/initializers/templating.rb @@ -14,7 +14,7 @@ end class ApplicationHelperTest < Test::Unit::TestCase fixtures :assets, :users - include ActionView::Helpers::TagHelper, ApplicationHelper, WhiteListHelper + include ActionView::Helpers::TagHelper, ApplicationHelper def request @request ||= ApplicationHelperTestController.new test/functional/application_helper_test.rb vendor/plugins/white_list/README vendor/plugins/white_list/Rakefile vendor/plugins/white_list/init.rb vendor/plugins/white_list/lib/white_list_helper.rb vendor/plugins/white_list/test/white_list_test.rb 31430c44ac1d26cd3b4dbb26a7374dd6164e2b47 Eric Kidd git@randomhacks.net http://github.com/emk/mephisto/commit/d2c8c8e3aee4c222c645f0b7b493799ffd826bc3 d2c8c8e3aee4c222c645f0b7b493799ffd826bc3 2008-12-12T05:24:57-08:00 2008-12-12T05:24:57-08:00 Security: Replace white_list with Rails 2.2 sanitizer The Rails 2.2 santizer is an enhanced version of Rick's original white_list plugin, so let's upgrade and get the latest fixes. Note that Mephisto had separate rules for sanitizing comments and non-comments in Atom feeds. This difference was introduced in commit 88df87e3a1cb8474fa479d855035ab4d2ca2351e. Unfortunately, I'm not able to track down any information on the problem being fixed here. Since we already add half of the tags in question to the whitelist, I've decided to just treat all sanitized Atom feed content the same. Please let me know if this breaks anything. d442e5291b0aec71e6ecde67222ee49e59c38df1 Eric Kidd git@randomhacks.net