mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Handle leading spaces in protocol while sanitizing
This commit is contained in:
parent
838d30f182
commit
e7e4deec11
2 changed files with 9 additions and 2 deletions
|
@ -171,7 +171,7 @@ module HTML
|
|||
|
||||
def contains_bad_protocols?(attr_name, value)
|
||||
uri_attributes.include?(attr_name) &&
|
||||
(value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
|
||||
(value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -138,7 +138,7 @@ class SanitizerTest < ActionController::TestCase
|
|||
assert sanitizer.send(:contains_bad_protocols?, 'src', "#{proto}://bad")
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
def test_should_accept_good_protocols_ignoring_case
|
||||
sanitizer = HTML::WhiteListSanitizer.new
|
||||
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
|
||||
|
@ -146,6 +146,13 @@ class SanitizerTest < ActionController::TestCase
|
|||
end
|
||||
end
|
||||
|
||||
def test_should_accept_good_protocols_ignoring_space
|
||||
sanitizer = HTML::WhiteListSanitizer.new
|
||||
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
|
||||
assert !sanitizer.send(:contains_bad_protocols?, 'src', " #{proto}://good")
|
||||
end
|
||||
end
|
||||
|
||||
def test_should_accept_good_protocols
|
||||
sanitizer = HTML::WhiteListSanitizer.new
|
||||
HTML::WhiteListSanitizer.allowed_protocols.each do |proto|
|
||||
|
|
Loading…
Reference in a new issue