diff options
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/CHANGELOG | 2 | ||||
| -rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 6 | ||||
| -rw-r--r-- | actionpack/test/template/text_helper_test.rb | 12 |
3 files changed, 17 insertions, 3 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 7f452f730e..cc1b883e5f 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Update sanitize text helper to strip plaintext tags, and <img src="javascript:bang">. [Rick Olson] + * Update routing documentation. Closes #6017 [Nathan Witmer] * Add routing tests to assert that RoutingError is raised when conditions aren't met. Closes #6016 [Nathan Witmer] diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index a2efedf100..8b724127a2 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -168,7 +168,7 @@ module ActionView require 'html/node' end - VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS) + VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS) VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS) # Sanitizes the given HTML by making form and script tags into regular @@ -192,8 +192,8 @@ module ActionView else if node.closing != :close node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS } - if node.attributes["href"] =~ /^javascript:/i - node.attributes.delete "href" + %w(href src).each do |attr| + node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i end end node.to_s diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb index babb68ccfa..7cc92e0bd6 100644 --- a/actionpack/test/template/text_helper_test.rb +++ b/actionpack/test/template/text_helper_test.rb @@ -195,6 +195,12 @@ class TextHelperTest < Test::Unit::TestCase assert_equal "<form action='/foo/bar' method='post'><input></form>", result end + def test_sanitize_plaintext + raw = "<plaintext><span>foo</span></plaintext>" + result = sanitize(raw) + assert_equal "<plaintext><span>foo</span></plaintext>", result + end + def test_sanitize_script raw = "<script language=\"Javascript\">blah blah blah</script>" result = sanitize(raw) @@ -213,6 +219,12 @@ class TextHelperTest < Test::Unit::TestCase assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result end + def test_sanitize_image_src + raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>} + result = sanitize(raw) + assert_equal %{src="javascript:bang" <img width='5'>foo</img>, <span>bar</span>}, result + end + def test_cycle_class value = Cycle.new("one", 2, "3") assert_equal("one", value.to_s) |