diff options
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/controller/html-scanner/sanitizer_test.rb | 8 |
3 files changed, 11 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index f134fec599..98756c7582 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Fix HTML Sanitizer to allow trailing spaces in CSS style attributes. Closes #10566 [wesley.moxam] + * Add :default option to time_zone_select. #10590 [Matt Aimonetti] diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 1eb426aea1..12c8405101 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -107,7 +107,7 @@ module HTML # gauntlet if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || - style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$/ + style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ return '' end @@ -170,4 +170,4 @@ module HTML (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first)) end end -end
\ No newline at end of file +end diff --git a/actionpack/test/controller/html-scanner/sanitizer_test.rb b/actionpack/test/controller/html-scanner/sanitizer_test.rb index 8fe9bbc5e8..a9f4e88742 100644 --- a/actionpack/test/controller/html-scanner/sanitizer_test.rb +++ b/actionpack/test/controller/html-scanner/sanitizer_test.rb @@ -203,6 +203,12 @@ class SanitizerTest < Test::Unit::TestCase assert_equal expected, sanitize_css(raw) end + def test_should_sanitize_with_trailing_space + raw = "display:block; " + expected = "display: block;" + assert_equal expected, sanitize_css(raw) + end + def test_should_sanitize_xul_style_attributes raw = %(-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')) assert_equal '', sanitize_css(raw) @@ -247,4 +253,4 @@ protected def sanitize_css(input) (@sanitizer ||= HTML::WhiteListSanitizer.new).sanitize_css(input) end -end
\ No newline at end of file +end |