@@ -158,7 +158,9 @@ module ApplicationHelper end def white_list_with_removal(html) - white_list(html) { |node, bad| node.to_s.gsub(/<script.+?<\/script>/mi, '').gsub(/<style.+?<\/style>/mi, '').gsub(/<[^>]+>/, '').gsub(/</, '&lt;') } + html.gsub!(/<script.+?<\/script>/mi, '') + html.gsub!(/<style.+?<\/style>/mi, '') + white_list(html) { |node, bad| node.to_s.gsub(/<[^>]+>/, '').gsub(/</, '&lt;') } end def domain_name_from_url(url) app/helpers/application_helper.rb @@ -2,9 +2,19 @@ require File.dirname(__FILE__) + '/../../test_helper' class ApplicationHelperTest < ActionView::TestCase + include WhiteListHelper + context 'Whitelist' do should 'remove style tags and their content' do - assert_equal('beforeafter', white_list_with_removal('before<style type="text/css">body { font-size: 12pt; }</style>after')) + assert_equal('before after', white_list_with_removal('before <style type="text/css">body { font-size: 12pt; }</style>after')) + end + + should 'remove script tags and their content' do + assert_equal('before after', white_list_with_removal('before <script type="text/javascript">alert("hi")</script>after')) + end + + should 'remove other illegal tags' do + assert_equal('before and after', white_list_with_removal('before <bad>and</bad> after')) end end test/unit/helpers/application_helper_test.rb c23daf4200eb51f35fdbcb80de0d6dfebbff6313 Tim Morgan tim@timmorgan.org http://github.com/seven1m/onebody/commit/1d488d7eb88d0a60721f1c4315b490efd328e53e 1d488d7eb88d0a60721f1c4315b490efd328e53e 2009-10-24T07:00:14-07:00 2009-10-24T07:00:14-07:00 Ensure removal of content within script and style tags. 4ee4c1d075453de088ae84241342648b8feb0588 Tim Morgan tim@timmorgan.org