Added configuration for HTML sanitization

a-ono · Aug 14, 2016 · 0a10100 · 0a10100
1 parent 683d311
commit 0a10100
Show file tree

Hide file tree

Showing 4 changed files with 121 additions and 4 deletions.
diff --git a/README.rdoc b/README.rdoc
@@ -73,9 +73,9 @@ To activate the plugin you have to copy the plugin directory into assets/ckedito
 
 You can select third-party skins placed in assets/ckeditor-contrib/skins directory.
 
-=== Configuration options
+=== Configuration
 
-You can configure {CKEditor settings}[http://docs.ckeditor.com/#!/api/CKEDITOR.config] by using the REDMINE_ROOT/config/ckeditor.yml file.
+You can configure {CKEditor settings}[http://docs.ckeditor.com/#!/api/CKEDITOR.config] and HTML sanitizer by using the REDMINE_ROOT/config/ckeditor.yml file.
     cp plugins/redmine_ckeditor/config/ckeditor.yml.example config/ckeditor.yml
 
 == Migration notes

diff --git a/config/ckeditor.yml.example b/config/ckeditor.yml.example
@@ -1,4 +1,112 @@
+# CKEditor configuration
+
 allowedContent: true
 bodyClass: "wiki"
 removePlugins: "div,flash,forms,iframe"
 forcePasteAsPlainText: false
+
+# HTML sanitizer configuration
+
+allowedProtocols:
+  - afs
+  - aim
+  - callto
+  - ed2k
+  - feed
+  - ftp
+  - gopher
+  - http
+  - https
+  - irc
+  - mailto
+  - news
+  - nntp
+  - rsync
+  - rtsp
+  - sftp
+  - ssh
+  - tag
+  - telnet
+  - urn
+  - webcal
+  - xmpp
+
+allowedTags:
+  - a
+  - abbr
+  - acronym
+  - address
+  - b
+  - big
+  - blockquote
+  - br
+  - caption
+  - cite
+  - code
+  - dd
+  - del
+  - dfn
+  - div
+  - dt
+  - em
+  - h1
+  - h2
+  - h3
+  - h4
+  - h5
+  - h6
+  - hr
+  - i
+  - iframe
+  - img
+  - ins
+  - kbd
+  - li
+  - ol
+  - p
+  - pre
+  - s
+  - samp
+  - small
+  - span
+  - strike
+  - strong
+  - sub
+  - sup
+  - table
+  - tbody
+  - td
+  - tfoot
+  - th
+  - thead
+  - tr
+  - tt
+  - u
+  - ul
+  - var
+
+allowedAttributes:
+  - abbr
+  - align
+  - alt
+  - border
+  - cellpadding
+  - cellspacing
+  - cite
+  - class
+  - colspan
+  - datetime
+  - dir
+  - height
+  - href
+  - name
+  - nowrap
+  - reversed
+  - rowspan
+  - src
+  - start
+  - style
+  - title
+  - valign
+  - width
+  - xml:lang
diff --git a/init.rb b/init.rb
@@ -18,3 +18,5 @@
   wiki_format_provider 'CKEditor', RedmineCkeditor::WikiFormatting::Formatter,
     RedmineCkeditor::WikiFormatting::Helper
 end
+
+Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.replace RedmineCkeditor.allowed_protocols
diff --git a/lib/redmine_ckeditor.rb b/lib/redmine_ckeditor.rb
@@ -10,16 +10,23 @@ def assets_root
       @assets_root ||= "#{Redmine::Utils.relative_url_root}/plugin_assets/redmine_ckeditor"
     end
 
+    def allowed_protocols
+      @allowed_protocols ||= ckeditor_config[:allowedProtocols] || %w[
+        afs aim callto ed2k feed ftp gopher http https irc mailto news
+        nntp rsync rtsp sftp ssh tag telnet urn webcal xmpp
+      ]
+    end
+
     def allowed_tags
-      @allowed_tags ||= %w[
+      @allowed_tags ||= ckeditor_config[:allowedTags] || %w[
         a abbr acronym address blockquote b big br caption cite code dd del dfn
         div dt em h1 h2 h3 h4 h5 h6 hr i img ins kbd li ol p pre samp small span
         strike s strong sub sup table tbody td tfoot th thead tr tt u ul var iframe
       ]
     end
 
     def allowed_attributes
-      @allowed_attributes ||= %w[
+      @allowed_attributes ||= ckeditor_config[:allowedAttributes] || %w[
         href src width height alt cite datetime title class name xml:lang abbr dir
         style align valign border cellpadding cellspacing colspan rowspan nowrap
         start reversed