Permalink
Browse files

Freeing up restrictions on the body contents of notes. IFrames now av…

…ailable. Adding an additional level of sanitization, so that IFrames don't show up in document descriptions.
  • Loading branch information...
1 parent b528deb commit 3fda323b9bdf8c9df9c7c19e8cb74e58704139ca @knowtheory knowtheory committed Mar 21, 2012
Showing with 27 additions and 7 deletions.
  1. +1 −1 app/models/document.rb
  2. +1 −1 app/models/project.rb
  3. +25 −5 lib/dc/sanitized.rb
View
@@ -54,7 +54,7 @@ class Document < ActiveRecord::Base
# Sanitizations (title handled separately):
text_attr :source, :related_article, :remote_url
- html_attr :description
+ styleable_attr :description
delegate :slug, :to => :organization, :allow_nil => true, :prefix => true
delegate :slug, :to => :account, :allow_nil => true, :prefix => true
View
@@ -22,7 +22,7 @@ class Project < ActiveRecord::Base
# Sanitizations:
text_attr :title
- html_attr :description
+ styleable_attr :description
named_scope :alphabetical, {:order => :title}
named_scope :visible, :conditions => {:hidden => false}
View
@@ -9,9 +9,9 @@ def strip(s)
Sanitize.clean(s)
end
- # Clean unsafe HTML from a string,
- def sanitize(s)
- Sanitize.clean(s, Sanitize::Config::RELAXED)
+ # Clean unsafe HTML from a string.
+ def sanitize(s, level=:relaxed)
+ Sanitize.clean(s, level == :super_relaxed ? ::DC::Sanitizer::SUPER_RELAXED : ::DC::Sanitizer::RELAXED)
end
# Class methods to mix in.
@@ -23,11 +23,18 @@ def text_attr(*attrs)
class_eval "def #{att}=(val); self[:#{att}] = strip(val); end"
end
end
+
+ #
+ def styleable_attr(*attrs)
+ attrs.each do |att|
+ class_eval "def #{att}=(val); self[:#{att}] = sanitize(val); end"
+ end
+ end
# HTML attributes are sanitized of malicious HTML before being saved.
def html_attr(*attrs)
attrs.each do |att|
- class_eval "def #{att}=(val); self[:#{att}] = sanitize(val); end"
+ class_eval "def #{att}=(val); self[:#{att}] = sanitize(val, :super_relaxed); end"
end
end
@@ -39,8 +46,21 @@ def self.included(klass)
end
end
+
+ module Sanitizer
+ RELAXED = Sanitize::Config::RELAXED.dup
+ SUPER_RELAXED = Sanitize::Config::RELAXED.dup
+ SUPER_RELAXED[:elements] += %w[ iframe ]
+ SUPER_RELAXED[:attributes].merge!({ 'iframe' => %w[ src srcdoc width height sandbox ] })
+ SUPER_RELAXED[:protocols].merge!({
+ 'iframe' => {
+ 'src' => ['ftp', 'http', 'https', 'mailto', :relative],
+ 'sandbox' => %w[ allow-forms allow-same-origin allow-scripts allow-top-navigation ]
+ }
+ })
+ end
end
# Mix this module into all ActiveRecord models.
-ActiveRecord::Base.send :include, DC::Sanitized
+ActiveRecord::Base.send :include, DC::Sanitized

0 comments on commit 3fda323

Please sign in to comment.