Merge branch 'bzr/golem' of /Users/distler/Sites/code/instiki

app/controllers/application_controller.rb

@@ -8,7 +8,7 @@ class ApplicationController < ActionController::Base
 
   # For injecting a different wiki model implementation. Intended for use in tests
   def self.wiki=(the_wiki)
-    # a global variable is used here because Rails reloads controller and model classes in the 
+    # a global variable is used here because Rails reloads controller and model classes in the
     # development environment; therefore, storing it as a class variable does not work
     # class variable is, anyway, not much different from a global variable
     #$instiki_wiki_service = the_wiki
@@ -39,15 +39,15 @@ def html_ext
        'xhtml'
     else
       'html'
-    end       
+    end
   end
 
   def darken(s)
      n=s.length/3
      s.scan( %r(\w{#{n},#{n}}) ).collect {|a| (a.hex * 2/3).to_s(16).rjust(n,'0')}.join
   end
 
-  def check_authorization    
+  def check_authorization
     redirect_to(:controller => 'wiki', :action => 'login',
                 :web => @web_name) if in_a_web? and authorization_needed? and not authorized?
   end
@@ -65,10 +65,10 @@ def connect_to_model
   end
 
   FILE_TYPES = {
-    '.aif' => 'audio/x-aiff',  
-    '.aiff'=> 'audio/x-aiff',  
-    '.avi' => 'video/x-msvideo',  
-    '.cdf' => 'application/vnd.wolfram.cdf.text',  
+    '.aif' => 'audio/x-aiff',
+    '.aiff'=> 'audio/x-aiff',
+    '.avi' => 'video/x-msvideo',
+    '.cdf' => 'application/vnd.wolfram.cdf.text',
     '.exe' => 'application/octet-stream',
     '.gif' => 'image/gif',
     '.jpg' => 'image/jpeg',
@@ -113,7 +113,7 @@ def connect_to_model
     'text/plain'               => 'inline',
     'application/zip'          => 'attachment'
   } unless defined? DISPOSITION
- 
+
   def determine_file_options_for(file_name, original_options = {})
     original_options[:type] ||= (FILE_TYPES[File.extname(file_name)] or 'application/octet-stream')
     original_options[:disposition] ||= (DISPOSITION[original_options[:type]] or 'attachment')
@@ -122,7 +122,7 @@ def determine_file_options_for(file_name, original_options = {})
             ( request.remote_addr == LOCALHOST || defined?(PhusionPassenger) )
     original_options
   end
-  
+
   def send_file(file, options = {})
     determine_file_options_for(file, options)
     super(file, options)
@@ -140,7 +140,7 @@ def password_check(password)
   def password_error(password)
     if password.nil? or password.empty?
       'Please enter the password.'
-    else 
+    else
       'You entered a wrong password. Please enter the right one.'
     end
   end
@@ -154,7 +154,7 @@ def redirect_home(web = @web_name)
   end
 
   def redirect_to_page(page_name = @page_name, web = @web_name)
-    redirect_to :web => web, :controller => 'wiki', :action => 'show', 
+    redirect_to :web => web, :controller => 'wiki', :action => 'show',
         :id => (page_name or 'HomePage')
   end
 
@@ -205,9 +205,9 @@ def set_content_type_header
       response.content_type = Mime::TEXT
     elsif xhtml_enabled?
       if request.user_agent =~ /Validator/ or request.env.include?('HTTP_ACCEPT') &&
-           Mime::Type.parse(request.env["HTTP_ACCEPT"]).include?(Mime::XHTML)  
+           Mime::Type.parse(request.env["HTTP_ACCEPT"]).include?(Mime::XHTML)
         response.content_type = Mime::XHTML
-      elsif request.user_agent =~ /MathPlayer/ 
+      elsif request.user_agent =~ /MathPlayer/
         response.charset = nil
         response.content_type = Mime::XHTML
         response.extend(MathPlayerHack)
@@ -244,7 +244,7 @@ def wiki
   def in_a_web?
     not @web_name.nil?
   end
-  
+
   def authorization_needed?
     not %w(login authenticate feeds published atom_with_headlines atom_with_content atom_with_changes file blahtex_png).include?(action_name)
   end
@@ -255,7 +255,7 @@ def authorized?
     cookies.signed[CGI.escape(@web_name)] == @web.password or
     password_check(params['password']) or
     (@web.published? and action_name == 's5')
-    
+
     rescue ActiveSupport::MessageVerifier::InvalidSignature
       flash[:info] = 'Bad cookie. Please reauthenticate.'
       cookies.signed[CGI.escape(@web_name)] = ''
@@ -282,7 +282,7 @@ module Mime
 
   # Add XHTML
   XHTML  = Type.new "application/xhtml+xml", :xhtml
-  
+
   # Fix xhtml and html lookups
   LOOKUP["text/html"]             = HTML
   LOOKUP["application/xhtml+xml"] = XHTML
@@ -298,7 +298,7 @@ module Instiki
   module VERSION #:nodoc:
     MAJOR = 0
     MINOR = 20
-    TINY  = 1 
+    TINY  = 1
     SUFFIX = '(MML+)'
     PRERELEASE = false
     if PRERELEASE

app/controllers/wiki_controller.rb

@@ -330,7 +330,7 @@ def rollback
   def save
     render(:status => 404, :text => 'Undefined page name', :layout => 'error') and return if @page_name.nil?
     return unless is_post
-    author_name = params['author'].purify
+    author_name = params['author'].strip.purify
     author_name = 'AnonymousCoward' if author_name =~ /^\s*$/
 
     begin

app/models/author.rb

@@ -9,9 +9,9 @@ def initialize(name, ip = nil)
   def name=(value)
     self.gsub!(/.+/, value)
   end
-  
+
   alias_method :name, :to_s
-  
+
   def <=>(other)
     name <=> other.to_s
   end

app/models/wiki_reference.rb

@@ -41,7 +41,7 @@ def self.pages_that_link_to(web, page_name)
       "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, page_name])).map { |row| row['name'] }
   end
-  
+
   def self.pages_that_link_to_file(web, file_name)
     query = 'SELECT name FROM pages JOIN wiki_references ' +
       'ON pages.id = wiki_references.page_id ' +
@@ -50,7 +50,7 @@ def self.pages_that_link_to_file(web, file_name)
       "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, file_name])).map { |row| row['name'] }
   end
-  
+
   def self.pages_that_include(web, page_name)
     query = 'SELECT name FROM pages JOIN wiki_references ' +
       'ON pages.id = wiki_references.page_id ' +
@@ -69,7 +69,7 @@ def self.pages_redirected_to(web, page_name)
     redirected_pages.concat Thread.current[:page_redirects][page] if
             Thread.current[:page_redirects] && Thread.current[:page_redirects][page]
     redirected_pages.uniq.each { |name| names.concat self.pages_that_reference(web, name) }
-    names.uniq    
+    names.uniq
   end
 
   def self.pages_that_redirect_for(web, page_name)
@@ -95,7 +95,7 @@ def self.pages_in_category(web, category)
       "AND pages.web_id = '#{web.id}'"
     names = connection.select_all(sanitize_sql([query, category])).map { |row| row['name'].as_utf8 }
   end
-  
+
   def self.list_categories(web)
     query = "SELECT DISTINCT wiki_references.referenced_name " +
       "FROM wiki_references LEFT OUTER JOIN pages " +
@@ -128,17 +128,16 @@ def wanted_page?
   def included_page?
     link_type == INCLUDED_PAGE
   end
-  
+
   def file?
     link_type == FILE
   end
-  
+
   def wanted_file?
     link_type == WANTED_FILE
   end
 
   def category?
     link_type == CATEGORY
   end
-
 end

app/views/file/delete.html.erb

@@ -5,12 +5,12 @@
 
 <%= error_messages_for 'delete' %>
 
-<% form_tag({ :controller => 'file', :web => @web_name, :action => 'delete' }, 
+<% form_tag({ :controller => 'file', :web => @web_name, :action => 'delete' },
         {'accept-charset' => 'utf-8' }) do %>
   <div class="inputFieldWithPrompt">
     <%= hidden_field 'file', 'file_name' %>
     <label for="system_password">Enter system password</label>
-    <input type="password" class="disableAutoComplete" id="system_password" 
+    <input type="password" class="disableAutoComplete" id="system_password"
            name="system_password" />
     <input type="submit" value="Delete" /><br/>
     or go <%= link_to "back", :back %> to the page you came from.

app/views/file/file.rhtml

@@ -15,17 +15,17 @@
     <br />
     <input type="file" id="file_content" name="file[content]" size="40" />
     <br />
-    Please note that the file you are uploading will be named <%= h @file_name %> on the wiki - 
-    regardless of how it is named on your computer. To change the wiki name of the file, please go 
-    <%= link_to("back", @referring_page) %> and edit the wiki page that refers to the file.
+    <p>Please note that the file you are uploading will be named <%= h @file_name %> on the wiki -
+    regardless of how it is named on your computer. To change the wiki name of the file, please go
+    <%= link_to("back", @referring_page) %> and edit the wiki page that refers to the file.</p>
   </div>
   <div class="inputFieldWithPrompt">
     <label for="file_description"><b>Description</b>:</label>
     <br/>
     <%= text_field "file", "description", "size" => 40 %>
   </div>
   <div>
-    <input type="submit" value="Upload" /> as 
+    <input type="submit" value="Upload" /> as
     <%= text_field_tag :author, @author, 
             :onfocus => "this.value == 'AnonymousCoward' ? this.value = '' : true;",
             :onblur  => "this.value == '' ? this.value = 'AnonymousCoward' : true" %>

test/functional/wiki_controller_test.rb

@@ -779,6 +779,22 @@ def test_save_new_revision_of_existing_page
     assert !home_page.locked?(Time.now)
   end
 
+  def test_save_new_revision_of_existing_page_whitespace_trimmed
+    @home.lock(Time.now, 'Batman')
+    current_revisions = @home.revisions.size
+
+    r = process 'save', 'web' => 'wiki1', 'id' => 'HomePage', 'content' => 'Revised HomePage', 
+      'author' => '  Batman  '
+
+    assert_redirected_to :web => 'wiki1', :controller => 'wiki', :action => 'show', :id => 'HomePage'
+    assert_equal 'Batman', r.cookies['author']
+    home_page = @wiki.read_page('wiki1', 'HomePage')
+    assert_equal current_revisions+1, home_page.revisions.size
+    assert_equal 'Revised HomePage', home_page.content
+    assert_equal 'Batman', home_page.author
+    assert !home_page.locked?(Time.now)
+  end
+
   def test_save_new_revision_of_existing_page_invalid_utf8
     @home.lock(Time.now, 'Batman')
     current_revisions = @home.revisions.size

test/unit/sanitizer_test.rb

@@ -137,6 +137,12 @@ def test_should_handle_astral_plane_characters
     check_sanitization(input, output, output, output)
   end
 
+  def test_comments_in_attributes
+    input = %(<a href='examp<!--" script=foo>-->le.com'>test</a> bar)
+    output=%(<a href='examp&lt;!--&quot; script=foo&gt;--&gt;le.com'>test</a> bar)
+    check_sanitization(input, output, output, output)
+  end
+
 # This affects only NS4. Is it worth fixing?
 #  def test_javascript_includes
 #    input = %(<div size="&{alert('XSS')}">foo</div>)