1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Merge pull request #16775 from kaspth/ship-secure-sanitizer

Ship with rails-html-sanitizer instead.
This commit is contained in:
Rafael Mendonça França 2014-09-03 16:59:58 -03:00
commit 5db4e7f0ec
6 changed files with 8 additions and 53 deletions

View file

@ -23,7 +23,7 @@ Gem::Specification.new do |s|
s.add_dependency 'rack', '~> 1.6.0.beta'
s.add_dependency 'rack-test', '~> 0.6.2'
s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
s.add_dependency 'rails-html-sanitizer', '~> 1.0'
s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
s.add_dependency 'actionview', version

View file

@ -23,7 +23,7 @@ Gem::Specification.new do |s|
s.add_dependency 'builder', '~> 3.1'
s.add_dependency 'erubis', '~> 2.7.0'
s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
s.add_dependency 'rails-html-sanitizer', '~> 1.0'
s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
s.add_development_dependency 'actionpack', version

View file

@ -1,6 +1,6 @@
require 'active_support/core_ext/object/try'
require 'active_support/deprecation'
require 'rails-deprecated_sanitizer'
require 'rails-html-sanitizer'
module ActionView
# = Action View Sanitize Helpers
@ -122,14 +122,9 @@ module ActionView
attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
# Vendors the full, link and white list sanitizers.
# This uses html-scanner for the HTML sanitization.
# In the next Rails version this will use Rails::Html::Sanitizer instead.
# To get this new behavior now, in your Gemfile, add:
#
# gem 'rails-html-sanitizer'
#
# Provided strictly for compabitility and can be removed in Rails 5.
def sanitizer_vendor
Rails::DeprecatedSanitizer
Rails::Html::Sanitizer
end
def sanitized_allowed_tags

View file

@ -18,7 +18,7 @@ class SanitizeHelperTest < ActionView::TestCase
def test_should_sanitize_illegal_style_properties
raw = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
expected = %(display: block; width: 100%; height: 100%; background-color: black; background-image: ; background-x: center; background-y: center;)
expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;)
assert_equal expected, sanitize_css(raw)
end

View file

@ -167,7 +167,8 @@ config.log_level = :info
### HTML Sanitizer
The HTML sanitizer has been replaced with a new, more robust, implementation
built upon Loofah and Nokogiri. The new sanitizer is (TODO: betterer).
built upon Loofah and Nokogiri. The new sanitizer is more secure and its
sanitization is more powerful and flexible.
With a new sanitization algorithm, the sanitized output will change for certain
pathological inputs.

View file

@ -1,41 +0,0 @@
# -*- coding: utf-8 -*-
require 'isolation/abstract_unit'
require 'rack/test'
require 'active_support/json'
module ApplicationTests
class DefaultStackTest < ActiveSupport::TestCase
include ActiveSupport::Testing::Isolation
include Rack::Test::Methods
def setup
build_app(initializers: true)
boot_rails
end
def teardown
teardown_app
end
test "the sanitizer helper" do
controller :foo, <<-RUBY
class FooController < ApplicationController
def index
render text: self.class.helpers.class.sanitizer_vendor
end
end
RUBY
app_file 'config/routes.rb', <<-RUBY
Rails.application.routes.draw do
get ':controller(/:action)'
end
RUBY
require "#{app_path}/config/environment"
get "/foo"
assert_equal 'Rails::Html::Sanitizer', last_response.body.strip
end
end
end