diff options
author | Timothy N. Tsvetkov <timothy.tsvetkov@gmail.com> | 2010-11-24 00:17:05 +0300 |
---|---|---|
committer | Santiago Pastorino <santiago@wyeworks.com> | 2010-12-30 22:43:43 -0200 |
commit | e5b84fd72358deddd29c515aacab7edf2643908e (patch) | |
tree | 9aa4c81e85567bc9082d2b251d0771c96dabb155 | |
parent | 573fd39e22b3d278457fa764c107095808b361fe (diff) | |
download | rails-e5b84fd72358deddd29c515aacab7edf2643908e.tar.gz rails-e5b84fd72358deddd29c515aacab7edf2643908e.tar.bz2 rails-e5b84fd72358deddd29c515aacab7edf2643908e.zip |
ActionController::Base.helpers.sanitize ignores case in protocol
[#6044 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
3 files changed, 8 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 3e5d23b5c1..09dd08898c 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -170,7 +170,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) end end end diff --git a/actionpack/test/fixtures/layout_tests/layouts/symlinked b/actionpack/test/fixtures/layout_tests/layouts/symlinked deleted file mode 120000 index 0ddc1154ab..0000000000 --- a/actionpack/test/fixtures/layout_tests/layouts/symlinked +++ /dev/null @@ -1 +0,0 @@ -../../symlink_parent
\ No newline at end of file diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb index 3e80317b30..fcc3782f04 100644 --- a/actionpack/test/template/html-scanner/sanitizer_test.rb +++ b/actionpack/test/template/html-scanner/sanitizer_test.rb @@ -130,6 +130,13 @@ class SanitizerTest < ActionController::TestCase assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad") end end + + def test_should_accept_good_protocols_ignoring_case + sanitizer = HTML::WhiteListSanitizer.new + HTML::WhiteListSanitizer.allowed_protocols.each do |proto| + assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good") + end + end def test_should_accept_good_protocols sanitizer = HTML::WhiteListSanitizer.new |