diff options
author | Timm <kaspth@gmail.com> | 2013-07-15 21:54:43 +0200 |
---|---|---|
committer | Timm <kaspth@gmail.com> | 2014-06-15 23:40:54 +0200 |
commit | 6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e (patch) | |
tree | cb52e8ec488f8d7f169033fbcd624808fb2220d5 /actionview | |
parent | c88d573739186c344f39a068a6f972804b17efe8 (diff) | |
download | rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.tar.gz rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.tar.bz2 rails-6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e.zip |
Added ability to pass a custom scrubber to sanitize. Includes test coverage.
Diffstat (limited to 'actionview')
-rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 4 | ||||
-rw-r--r-- | actionview/test/template/sanitizers_test.rb | 36 |
2 files changed, 39 insertions, 1 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index af0aa12349..eab6d6a515 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -56,7 +56,9 @@ module ActionView return nil unless html loofah_fragment = Loofah.fragment(html) - if options[:tags] || options[:attributes] + if scrubber = options[:scrubber] # Loofah makes sure this is a scrubber + loofah_fragment.scrub!(scrubber) + elsif options[:tags] || options[:attributes] @permit_scrubber.tags = options[:tags] @permit_scrubber.attributes = options[:attributes] loofah_fragment.scrub!(@permit_scrubber) diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb index 8b91dd9c5a..9d64a659b1 100644 --- a/actionview/test/template/sanitizers_test.rb +++ b/actionview/test/template/sanitizers_test.rb @@ -222,6 +222,42 @@ class SanitizersTest < ActionController::TestCase assert_equal "You should pass :attributes as an Enumerable", e.message end + def test_should_not_accept_non_loofah_inheriting_scrubber + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Object.new + scrubber.class_eval do + def scrub(node); node.name = 'h1'; end + end + + assert_raise Loofah::ScrubberNotFound do + sanitizer.sanitize('', :scrubber => scrubber) + end + end + + def test_should_accept_loofah_inheriting_scrubber + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new + scrubber.class_eval do + def scrub(node); node.name = 'h1'; end + end + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber) + end + + def test_should_accept_loofah_scrubber_that_wraps_a_block + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' } + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber) + end + + def test_custom_scrubber_takes_precedence_over_other_options + sanitizer = ActionView::WhiteListSanitizer.new + scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' } + html = "<script>hello!</script>" + assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber, :tags => ['foo']) + end + [%w(img src), %w(a href)].each do |(tag, attr)| define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>) |