0
@@ -1,5 +1,11 @@
0
 * SVN *
0
 
0
+* Fix bug where atom feed content from textile was double encoded
0
+
0
+* sanitize atom feed content
0
+
0
+* 0.6 *
0
+
0
 * Change conversion scripts to use Mephisto.convert_from instead:
0
 
0
   Mephisto.convert_from :typo

0
@@ -1,2 +1,9 @@
0
 module FeedHelper
0
+  def sanitize_content(html)
0
+    returning h(sanitize(html)) do |html|
0
+      html.gsub! /&(#\d+);/ do |s|
0
+        "&#{$1};"
0
+      end
0
+    end
0
+  end
0
 end

0
@@ -10,6 +10,10 @@ xm.entry do
0
   end
0
   xm.link "rel" => "alternate", "type" => "text/html", "href" => article_url(article.hash_for_permalink)
0
   xm.title     strip_tags(article.title)
0
-  xm.summary   article.excerpt_html, 'type' => 'html' unless article.excerpt_html.blank?
0
-  xm.content   article.body_html,    'type' => 'html' unless article.body_html.blank?
0
+  unless article.excerpt_html.blank?
0
+    xm << %{<summary type="html">#{sanitize_content article.excerpt_html}</summary>}
0
+  end
0
+  unless article.body_html.blank?
0
+    xm << %{<content type="html">#{sanitize_content article.body_html}</content>}
0
+  end
0
 end
0
\ No newline at end of file

0
@@ -12,8 +12,8 @@ welcome:
0
   permalink: welcome-to-mephisto
0
   excerpt: welcome summary
0
   excerpt_html: welcome summary
0
-  body: welcome description
0
-  body_html: welcome description
0
+  body: "quentin's \"welcome\" *description* <script>hi</script><a onclick=\"foo\" href=\"#\">linkage</a>"
0
+  body_html: "<p>quentin&#8217;s &#8220;welcome&#8221; <strong>description</strong> <script>hi</script><a onclick=\"foo\" href=\"#\">linkage</a></p>"
0
   created_at: <%= 5.days.ago.to_s(:db) %>
0
   updated_at: <%= 5.days.ago.to_s(:db) %>
0
   published_at: <%= 3.days.ago.to_s(:db) %>
0
@@ -40,8 +40,8 @@ welcome_comment:
0
   id: 3
0
   site_id: 1
0
   article_id: 1
0
-  body: This blogging tool rocks.
0
-  body_html: This blogging tool rocks.
0
+  body: "rico's evil <script>hi</script> and <a onclick=\"foo\" href=\"#\">linkage</a>"
0
+  body_html: "<p>rico&#8217;s evil <script>hi</script> and <a onclick=\"foo\" href=\"#\">linkage</a></p>"
0
   created_at: <%= 3.days.ago.to_s(:db) %>
0
   updated_at: <%= 3.days.ago.to_s(:db) %>
0
   published_at: <%= (3.days + 55.minutes).ago.to_s(:db) %>

0
@@ -13,11 +13,11 @@ class FeedControllerTest < Test::Unit::TestCase
0
     @response   = ActionController::TestResponse.new
0
   end
0
 
0
-  # Replace this with your real tests.
0
   def test_feed_assigns
0
     get :feed, :sections => ['about']
0
     assert_equal sections(:about), assigns(:section)
0
     assert_equal [contents(:welcome), contents(:about), contents(:site_map)], assigns(:articles)
0
+    assert_atom_entries_size 3
0
   end
0
   
0
   def test_feed_comes_from_site
0
@@ -25,6 +25,7 @@ class FeedControllerTest < Test::Unit::TestCase
0
     get :feed, :sections => ['about']
0
     assert_equal sections(:cupcake_about), assigns(:section)
0
     assert_equal [contents(:cupcake_welcome)], assigns(:articles)
0
+    assert_atom_entries_size 1
0
   end
0
   
0
   def test_site_in_feed_links
0
@@ -32,6 +33,36 @@ class FeedControllerTest < Test::Unit::TestCase
0
     get :feed, :sections => []
0
     assert_models_equal [sections(:cupcake_home)], [assigns(:section)]
0
     assert_models_equal [contents(:cupcake_welcome)], assigns(:articles)
0
+    assert_atom_entries_size 1
0
     assert_tag 'link', :attributes => {:href => 'http://cupcake.com/'}
0
   end
0
 end
0
+
0
+context "Home Section Feed" do
0
+  fixtures :contents, :sections, :assigned_sections, :sites
0
+  def setup
0
+    @controller = FeedController.new
0
+    @request    = ActionController::TestRequest.new
0
+    @response   = ActionController::TestResponse.new
0
+    get :feed, :sections => []
0
+    @contents = get_xpath '//entry/content'
0
+  end
0
+  
0
+  specify "should show titles" do
0
+    assert_xpath '/feed/entry[title="Welcome to Mephisto"]'
0
+    assert_xpath '/feed/entry[title="Another Welcome to Mephisto"]'
0
+  end
0
+  
0
+  specify "should not double escape html" do
0
+    text = @contents.first.get_text.to_s
0
+    assert text.starts_with("&lt;p&gt;quentin&#8217;s &#8220;welcome&#8221;"), "'#{text.inspect}' was double escaped"
0
+  end
0
+  
0
+  specify "should sanitize content" do
0
+    text = @contents.first.get_text.to_s
0
+    evil = "<script>hi</script><a onclick=\"foo\" href=\"#\">linkage</a></p>"
0
+    good = "&lt;script>hi&lt;/script><a href='#'>linkage</a></p>"
0
+    assert !text.ends_with(CGI::escapeHTML(evil)), "'#{text.inspect}' was not sanitized"
0
+    assert  text.ends_with(CGI::escapeHTML(good)), "'#{text.inspect}' was not sanitized"
0
+  end
0
+end
0
\ No newline at end of file

0
@@ -102,6 +102,27 @@ class Test::Unit::TestCase
0
     assert File.file?(file), message
0
   end
0
 
0
+  def get_xpath(xpath)
0
+    if @rexml.nil?
0
+      @rexml = REXML::Document.new(@response.body)
0
+      assert @rexml
0
+    end
0
+ 
0
+    REXML::XPath.match(@rexml, xpath)
0
+  end
0
+ 
0
+  def assert_xpath(xpath, msg=nil)
0
+    assert !(get_xpath(xpath).empty?), "XPath '#{xpath}' was not matched: #{msg}"
0
+  end
0
+ 
0
+  def assert_not_xpath(xpath, msg=nil)
0
+    assert get_xpath(xpath).empty?, "XPath '#{xpath}' was matched: #{msg}"
0
+  end
0
+
0
+  def assert_atom_entries_size(entries)
0
+    assert_equal 1, get_xpath(%{/feed[@xmlns="http://www.w3.org/2005/Atom" and count(child::entry)=#{entries}]}).size, "Atom 1.0 feed has wrong number of feed/entry nodes"
0
+  end
0
+
0
   # Sets the current user in the session from the user fixtures.
0
   def login_as(user)
0
     @request.session[:user] = user ? users(user).id : nil