From 167e998f6128f2a04170181030fceb21047f7b79 Mon Sep 17 00:00:00 2001
From: Timm <kaspth@gmail.com>
Date: Wed, 3 Jul 2013 19:55:52 +0200
Subject: Removed the contains_bad_protocols? method as well as the tests for
 it. Loofah already deals with this.

---
 .../helpers/sanitize_helper/sanitizers.rb          | 10 ++-----
 actionview/test/template/sanitizers_test.rb        | 33 ----------------------
 2 files changed, 2 insertions(+), 41 deletions(-)

(limited to 'actionview')

diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
index f70b47f32a..0bc4be6558 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
@@ -13,8 +13,9 @@ module ActionView
 
   class LinkSanitizer
     def initialize
+      @strip_tags = %w(a href)
       @link_scrubber = Loofah::Scrubber.new do |node|
-        if node.name == 'a'
+        if @strip_tags.include?(node.name)
           node.before node.children
           node.remove
         else
@@ -109,12 +110,5 @@ module ActionView
     self.shorthand_css_properties = Loofah::HTML5::WhiteList::SHORTHAND_CSS_PROPERTIES
 
     self.allowed_protocols = Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS
-
-    protected
-      def contains_bad_protocols?(attr_name, value)
-        protocol_separator = ':'
-        self.uri_attributes.include?(attr_name) &&
-        (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !self.allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
-      end
   end
 end
diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb
index dc2fcf61e8..3a2d95fc87 100644
--- a/actionview/test/template/sanitizers_test.rb
+++ b/actionview/test/template/sanitizers_test.rb
@@ -149,39 +149,6 @@ class SanitizerTest < ActionController::TestCase
     end
   end
 
-  def test_should_flag_bad_protocols
-    sanitizer = ActionView::WhiteListSanitizer.new
-    %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto|
-      assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
-    end
-  end
-
-  def test_should_accept_good_protocols_ignoring_case
-    sanitizer = ActionView::WhiteListSanitizer.new
-    ActionView::WhiteListSanitizer.allowed_protocols.each do |proto|
-      assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto.capitalize}://good")
-    end
-  end
-
-  def test_should_accept_good_protocols_ignoring_space
-    sanitizer = ActionView::WhiteListSanitizer.new
-    ActionView::WhiteListSanitizer.allowed_protocols.each do |proto|
-      assert !sanitizer.send(:contains_bad_protocols?, 'src', " #{proto}://good")
-    end
-  end
-
-  def test_should_accept_good_protocols
-    sanitizer = ActionView::WhiteListSanitizer.new
-    ActionView::WhiteListSanitizer.allowed_protocols.each do |proto|
-      assert !sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://good")
-    end
-  end
-
-  def test_should_reject_hex_codes_in_protocol
-    assert_sanitized %(<a href="&#37;6A&#37;61&#37;76&#37;61&#37;73&#37;63&#37;72&#37;69&#37;70&#37;74&#37;3A&#37;61&#37;6C&#37;65&#37;72&#37;74&#37;28&#37;22&#37;58&#37;53&#37;53&#37;22&#37;29">1</a>), "<a>1</a>"
-    assert @sanitizer.send(:contains_bad_protocols?, 'src', "%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29")
-  end
-
   def test_should_block_script_tag
     assert_sanitized %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), ""
   end
-- 
cgit v1.2.3