kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Update sanitize text helper to strip plaintext tags, and <img src=javascript:bang>. [Rick Olson]

Browse source 
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4911 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
This commit is contained in:
Rick Olson 2006-09-03 00:02:14 +00:00
parent 26f28e7cfa
commit 0c999f4125
3 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
actionpack/CHANGELOG
View file

@ -1,5 +1,7 @@
*SVN*
* Update sanitize text helper to strip plaintext tags, and <img src="javascript:bang">. [Rick Olson]
* Update routing documentation. Closes #6017 [Nathan Witmer]
* Add routing tests to assert that RoutingError is raised when conditions aren't met. Closes #6016 [Nathan Witmer]

6
actionpack/lib/action_view/helpers/text_helper.rb
View file

@ -168,7 +168,7 @@ module ActionView
require 'html/node'
end
VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
# Sanitizes the given HTML by making form and script tags into regular
@ -192,8 +192,8 @@ module ActionView
else
if node.closing != :close
node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
if node.attributes["href"] =~ /^javascript:/i
node.attributes.delete "href"
%w(href src).each do |attr|
node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
end
end
node.to_s

12
actionpack/test/template/text_helper_test.rb
View file

@ -195,6 +195,12 @@ class TextHelperTest < Test::Unit::TestCase
assert_equal "&lt;form action='/foo/bar' method='post'><input>&lt;/form>", result
end
def test_sanitize_plaintext
raw = "<plaintext><span>foo</span></plaintext>"
result = sanitize(raw)
assert_equal "&lt;plaintext><span>foo</span>&lt;/plaintext>", result
end
def test_sanitize_script
raw = "<script language=\"Javascript\">blah blah blah</script>"
result = sanitize(raw)
@ -213,6 +219,12 @@ class TextHelperTest < Test::Unit::TestCase
assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result
end
def test_sanitize_image_src
raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
result = sanitize(raw)
assert_equal %{src="javascript:bang" <img width='5'>foo</img>, <span>bar</span>}, result
end
def test_cycle_class
value = Cycle.new("one", 2, "3")
assert_equal("one", value.to_s)