diff options
author | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:04 -0700 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-18 10:17:04 -0700 |
commit | afcd01bf25c0d7742d07b10dd8a465cffef4b9fe (patch) | |
tree | a486bd447e95fb4e8b1cbc195c28b23efd335a1c /actionpack/lib/action_controller/vendor/html-scanner | |
parent | 491d6916c976c40bb8e0f0992f35d85ff7169d89 (diff) | |
parent | a4b55827721a5967299f3c1531afb3d6d81e4ac0 (diff) | |
download | rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.tar.gz rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.tar.bz2 rails-afcd01bf25c0d7742d07b10dd8a465cffef4b9fe.zip |
Merge branch '3-2-13' into 3-2-stable
* 3-2-13:
bumping to 3.2.13
fix protocol checking in sanitization [CVE-2013-1857]
JDOM XXE Protection [CVE-2013-1856]
fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]
stop calling to_sym when building arel nodes [CVE-2013-1854]
Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets
bumping to rc2
Revert "Merge pull request #8209 from senny/backport_8176"
Freeze columns only once per Result
Preparing for 3.2.13.rc1 release
Update CHANGELOGs for 3.2.13 release.
Conflicts:
actionmailer/CHANGELOG.md
actionpack/CHANGELOG.md
activemodel/CHANGELOG.md
activeresource/CHANGELOG.md
activesupport/CHANGELOG.md
railties/CHANGELOG.md
Diffstat (limited to 'actionpack/lib/action_controller/vendor/html-scanner')
-rw-r--r-- | actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index af06bffa16..994e11563d 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -66,7 +66,7 @@ module HTML # A regular expression of the valid characters used to separate protocols like # the ':' in 'http://foo.com' - self.protocol_separator = /:|(�*58)|(p)|(%|%)3A/ + self.protocol_separator = /:|(�*58)|(p)|(�*3a)|(%|%)3A/i # Specifies a Set of HTML attributes that can have URIs. self.uri_attributes = Set.new(%w(href src cite action longdesc xlink:href lowsrc)) @@ -110,8 +110,8 @@ module HTML style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet - if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ + if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || + style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end @@ -122,7 +122,7 @@ module HTML elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && - keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ + keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end @@ -171,7 +171,7 @@ module HTML def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) + (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end end end |