Ensure filter_html filters block HTML.

jgarber · Jul 3, 2008 · 1d06a6c · 1d06a6c
1 parent 8e8b400
commit 1d06a6c
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 5 deletions.
diff --git a/ext/redcloth_scan/redcloth_scan.rl b/ext/redcloth_scan/redcloth_scan.rl
@@ -52,12 +52,12 @@ int SYM_escape_preformatted;
   aligned_image = ( "["? "!" (IMG_A_LEFT | IMG_A_RIGHT) ) >A @{ p = reg - 1; } ;
 
   # html blocks
-  BlockTagName = Name* - ("pre" | "notextile" | "a" | "applet" | "basefont" | "bdo" | "br" | "font" | "iframe" | "img" | "map" | "object" | "param" | "q" | "script" | "span" | "sub" | "sup" | "abbr" | "acronym" | "cite" | "code" | "del" | "dfn" | "em" | "ins" | "kbd" | "samp" | "strong" | "var" | "b" | "big" | "i" | "s" | "small" | "strike" | "tt" | "u");
+  BlockTagName = Name - ("pre" | "notextile" | "a" | "applet" | "basefont" | "bdo" | "br" | "font" | "iframe" | "img" | "map" | "object" | "param" | "q" | "script" | "span" | "sub" | "sup" | "abbr" | "acronym" | "cite" | "code" | "del" | "dfn" | "em" | "ins" | "kbd" | "samp" | "strong" | "var" | "b" | "big" | "i" | "s" | "small" | "strike" | "tt" | "u");
   block_start_tag = "<" BlockTagName space+ AttrSet* (AttrEnd)? ">" | "<" BlockTagName ">";
   block_empty_tag = "<" BlockTagName space+ AttrSet* (AttrEnd)? "/>" | "<" BlockTagName "/>" ;
   block_end_tag = "</" BlockTagName space* ">" ;
-  html_start = indent (block_start_tag | block_empty_tag) indent ;
-  html_end = indent block_end_tag indent CRLF? ;
+  html_start = indent >B %{STORE_B(indent_before_start)} (block_start_tag | block_empty_tag) >B %{STORE_B(start_tag)}  indent >B %{STORE_B(indent_after_start)} ;
+  html_end = indent >B %{STORE_B(indent_before_end)} block_end_tag >B %{STORE_B(end_tag)} (indent CRLF?) >B %{STORE_B(indent_after_end)} ;
   standalone_html = indent (block_start_tag | block_empty_tag | block_end_tag) indent CRLF+;
 
   # tables
@@ -152,7 +152,7 @@ int SYM_escape_preformatted;
   *|;
 
   html := |*
-    html_end        { ADD_BLOCK(); CAT(html); fgoto main; };
+    html_end        { ADD_BLOCK(); fgoto main; };
     default => cat;
   *|;
 
@@ -282,7 +282,7 @@ int SYM_escape_preformatted;
     pre_tag_start       { ASET(type, notextile); CAT(block); fgoto pre_tag; };
     pre_block_start { fgoto pre_block; };
     standalone_html { ASET(type, html); CAT(block); ADD_BLOCK(); };
-    html_start      { ASET(type, ignore); CAT(html); fgoto html; };
+    html_start      { ASET(type, html_block); fgoto html; };
     bc_start        { INLINE(html, bc_open); ASET(type, code); plain_block = rb_str_new2("code"); fgoto bc; };
     bq_start        { INLINE(html, bq_open); ASET(type, p); fgoto bq; };
     block_start     { fgoto block; };

diff --git a/lib/formatters/html.rb b/lib/formatters/html.rb
@@ -244,6 +244,12 @@ def html(opts)
     "#{opts[:text]}\n"
   end
 
+  def html_block(opts)
+    inline_html(:text => "#{opts[:indent_before_start]}#{opts[:start_tag]}#{opts[:indent_after_start]}") + 
+    "#{opts[:text]}" +
+    inline_html(:text => "#{opts[:indent_before_end]}#{opts[:end_tag]}#{opts[:indent_after_end]}")
+  end
+
   def notextile(opts)
     if filter_html
       html_esc(opts[:text], :html_escape_preformatted)

diff --git a/test/filter_html.yml b/test/filter_html.yml
@@ -98,6 +98,18 @@ filtered_html: |-
   This should be &lt;em&gt;escaped&lt;/em&gt;.
   </pre>
 ---
+name: escapes html
+in: |-
+  <div>This should be escaped</div>
+filtered_html: |-
+  &lt;div&gt;This should be escaped&lt;/div&gt;
+---
+name: escapes html in html
+in: |-
+  <div>This should be <b>bold</b></div>
+filtered_html: |-
+  &lt;div&gt;This should be &lt;b&gt;bold&lt;/b&gt;&lt;/div&gt;
+---
 in: Here's a bad image <img src="JaVaScRiPt:alert('XSS');">
 filtered_html: <p>Here&#8217;s a bad image &lt;img src="JaVaScRiPt:alert('XSS');"&gt;</p>
 ---