diff options
| author | Timm <kaspth@gmail.com> | 2013-07-03 19:55:52 +0200 |
|---|---|---|
| committer | Timm <kaspth@gmail.com> | 2014-06-15 23:35:25 +0200 |
| commit | 167e998f6128f2a04170181030fceb21047f7b79 (patch) | |
| tree | 672a3896dbda2e78aa6c48d8628584031e54b924 /actionview | |
| parent | 3e4ae8e5a21e1460bf0674211aef8d539c065701 (diff) | |
| download | rails-167e998f6128f2a04170181030fceb21047f7b79.tar.gz rails-167e998f6128f2a04170181030fceb21047f7b79.tar.bz2 rails-167e998f6128f2a04170181030fceb21047f7b79.zip | |
Removed the contains_bad_protocols? method as well as the tests for it. Loofah already deals with this.
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 10 | ||||
| -rw-r--r-- | actionview/test/template/sanitizers_test.rb | 33 |
2 files changed, 2 insertions, 41 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index f70b47f32a..0bc4be6558 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -13,8 +13,9 @@ module ActionView class LinkSanitizer def initialize + @strip_tags = %w(a href) @link_scrubber = Loofah::Scrubber.new do |node| - if node.name == 'a' + if @strip_tags.include?(node.name) node.before node.children node.remove else @@ -109,12 +110,5 @@ module ActionView self.shorthand_css_properties = Loofah::HTML5::WhiteList::SHORTHAND_CSS_PROPERTIES self.allowed_protocols = Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS - - protected - def contains_bad_protocols?(attr_name, value) - protocol_separator = ':' - self.uri_attributes.include?(attr_name) && - (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/i && !self.allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) - end end end diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb index dc2fcf61e8..3a2d95fc87 100644 --- a/actionview/test/template/sanitizers_test.rb +++ b/actionview/test/template/sanitizers_test.rb @@ -149,39 +149,6 @@ class SanitizerTest < ActionController::TestCase end end - def test_should_flag_bad_protocols - sanitizer = ActionView::WhiteListSanitizer.new - %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto| - assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad") - end - end - - def test_should_accept_good_protocols_ignoring_case - sanitizer = ActionView::WhiteListSanitizer.new - ActionView::WhiteListSanitizer.allowed_protocols.each do |proto| - assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good") - end - end - - def test_should_accept_good_protocols_ignoring_space - sanitizer = ActionView::WhiteListSanitizer.new - ActionView::WhiteListSanitizer.allowed_protocols.each do |proto| - assert !sanitizer.send(:contains_bad_protocols?, 'src', " #{proto}://good") - end - end - - def test_should_accept_good_protocols - sanitizer = ActionView::WhiteListSanitizer.new - ActionView::WhiteListSanitizer.allowed_protocols.each do |proto| - assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://good") - end - end - - def test_should_reject_hex_codes_in_protocol - assert_sanitized %(<a href="%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29">1</a>), "<a>1</a>" - assert @sanitizer.send(:contains_bad_protocols?, 'src', "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29") - end - def test_should_block_script_tag assert_sanitized %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), "" end |