From 1d06a6c0257ccb28a52b65e953ef489d859d78bf Mon Sep 17 00:00:00 2001 From: Jason Garber Date: Thu, 3 Jul 2008 15:40:19 -0400 Subject: [PATCH] Ensure filter_html filters block HTML. --- ext/redcloth_scan/redcloth_scan.rl | 10 +++++----- lib/formatters/html.rb | 6 ++++++ test/filter_html.yml | 12 ++++++++++++ 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/ext/redcloth_scan/redcloth_scan.rl b/ext/redcloth_scan/redcloth_scan.rl index 2b53d905..a1e8359e 100644 --- a/ext/redcloth_scan/redcloth_scan.rl +++ b/ext/redcloth_scan/redcloth_scan.rl @@ -52,12 +52,12 @@ int SYM_escape_preformatted; aligned_image = ( "["? "!" (IMG_A_LEFT | IMG_A_RIGHT) ) >A @{ p = reg - 1; } ; # html blocks - BlockTagName = Name* - ("pre" | "notextile" | "a" | "applet" | "basefont" | "bdo" | "br" | "font" | "iframe" | "img" | "map" | "object" | "param" | "q" | "script" | "span" | "sub" | "sup" | "abbr" | "acronym" | "cite" | "code" | "del" | "dfn" | "em" | "ins" | "kbd" | "samp" | "strong" | "var" | "b" | "big" | "i" | "s" | "small" | "strike" | "tt" | "u"); + BlockTagName = Name - ("pre" | "notextile" | "a" | "applet" | "basefont" | "bdo" | "br" | "font" | "iframe" | "img" | "map" | "object" | "param" | "q" | "script" | "span" | "sub" | "sup" | "abbr" | "acronym" | "cite" | "code" | "del" | "dfn" | "em" | "ins" | "kbd" | "samp" | "strong" | "var" | "b" | "big" | "i" | "s" | "small" | "strike" | "tt" | "u"); block_start_tag = "<" BlockTagName space+ AttrSet* (AttrEnd)? ">" | "<" BlockTagName ">"; block_empty_tag = "<" BlockTagName space+ AttrSet* (AttrEnd)? "/>" | "<" BlockTagName "/>" ; block_end_tag = "" ; - html_start = indent (block_start_tag | block_empty_tag) indent ; - html_end = indent block_end_tag indent CRLF? ; + html_start = indent >B %{STORE_B(indent_before_start)} (block_start_tag | block_empty_tag) >B %{STORE_B(start_tag)} indent >B %{STORE_B(indent_after_start)} ; + html_end = indent >B %{STORE_B(indent_before_end)} block_end_tag >B %{STORE_B(end_tag)} (indent CRLF?) >B %{STORE_B(indent_after_end)} ; standalone_html = indent (block_start_tag | block_empty_tag | block_end_tag) indent CRLF+; # tables @@ -152,7 +152,7 @@ int SYM_escape_preformatted; *|; html := |* - html_end { ADD_BLOCK(); CAT(html); fgoto main; }; + html_end { ADD_BLOCK(); fgoto main; }; default => cat; *|; @@ -282,7 +282,7 @@ int SYM_escape_preformatted; pre_tag_start { ASET(type, notextile); CAT(block); fgoto pre_tag; }; pre_block_start { fgoto pre_block; }; standalone_html { ASET(type, html); CAT(block); ADD_BLOCK(); }; - html_start { ASET(type, ignore); CAT(html); fgoto html; }; + html_start { ASET(type, html_block); fgoto html; }; bc_start { INLINE(html, bc_open); ASET(type, code); plain_block = rb_str_new2("code"); fgoto bc; }; bq_start { INLINE(html, bq_open); ASET(type, p); fgoto bq; }; block_start { fgoto block; }; diff --git a/lib/formatters/html.rb b/lib/formatters/html.rb index 03fb70a3..f6aba9d1 100644 --- a/lib/formatters/html.rb +++ b/lib/formatters/html.rb @@ -244,6 +244,12 @@ def html(opts) "#{opts[:text]}\n" end + def html_block(opts) + inline_html(:text => "#{opts[:indent_before_start]}#{opts[:start_tag]}#{opts[:indent_after_start]}") + + "#{opts[:text]}" + + inline_html(:text => "#{opts[:indent_before_end]}#{opts[:end_tag]}#{opts[:indent_after_end]}") + end + def notextile(opts) if filter_html html_esc(opts[:text], :html_escape_preformatted) diff --git a/test/filter_html.yml b/test/filter_html.yml index f0ce1113..1a170c8f 100644 --- a/test/filter_html.yml +++ b/test/filter_html.yml @@ -98,6 +98,18 @@ filtered_html: |- This should be <em>escaped</em>. --- +name: escapes html +in: |- +
This should be escaped
+filtered_html: |- + <div>This should be escaped</div> +--- +name: escapes html in html +in: |- +
This should be bold
+filtered_html: |- + <div>This should be <b>bold</b></div> +--- in: Here's a bad image filtered_html:

Here’s a bad image <img src="JaVaScRiPt:alert('XSS');">

---