Browse files

Update sanitize text helper to strip plaintext tags, and <img src=jav…

…ascript:bang>. [Rick Olson]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4911 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 26f28e7 commit 0c999f4125b04be552a3b7ed1ee7787d53d3a477 @technoweenie technoweenie committed Sep 3, 2006
View
2 actionpack/CHANGELOG
@@ -1,5 +1,7 @@
*SVN*
+* Update sanitize text helper to strip plaintext tags, and <img src="javascript:bang">. [Rick Olson]
+
* Update routing documentation. Closes #6017 [Nathan Witmer]
* Add routing tests to assert that RoutingError is raised when conditions aren't met. Closes #6016 [Nathan Witmer]
View
6 actionpack/lib/action_view/helpers/text_helper.rb
@@ -168,7 +168,7 @@ def strip_links(text)
require 'html/node'
end
- VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
+ VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
# Sanitizes the given HTML by making form and script tags into regular
@@ -192,8 +192,8 @@ def sanitize(html)
else
if node.closing != :close
node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
- if node.attributes["href"] =~ /^javascript:/i
- node.attributes.delete "href"
+ %w(href src).each do |attr|
+ node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
end
end
node.to_s
View
12 actionpack/test/template/text_helper_test.rb
@@ -195,6 +195,12 @@ def test_sanitize_form
assert_equal "&lt;form action='/foo/bar' method='post'><input>&lt;/form>", result
end
+ def test_sanitize_plaintext
+ raw = "<plaintext><span>foo</span></plaintext>"
+ result = sanitize(raw)
+ assert_equal "&lt;plaintext><span>foo</span>&lt;/plaintext>", result
+ end
+
def test_sanitize_script
raw = "<script language=\"Javascript\">blah blah blah</script>"
result = sanitize(raw)
@@ -213,6 +219,12 @@ def test_sanitize_javascript_href
assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result
end
+ def test_sanitize_image_src
+ raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
+ result = sanitize(raw)
+ assert_equal %{src="javascript:bang" <img width='5'>foo</img>, <span>bar</span>}, result
+ end
+
def test_cycle_class
value = Cycle.new("one", 2, "3")
assert_equal("one", value.to_s)

0 comments on commit 0c999f4

Please sign in to comment.