Ticket #5616: text_helper_strict_sanitize_patch.diff
| File text_helper_strict_sanitize_patch.diff, 2.7 kB (added by kamens@gmail.com, 2 years ago) |
|---|
-
actionpack/test/template/text_helper_test.rb
old new 194 194 result = sanitize(raw) 195 195 assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result 196 196 end 197 198 def test_sanitize_javascript_href_newlines 199 raw = %{href="j\nava\nscript:bang" <a href="j\nava\nscrip\nt:bang" name="hello">foo</a>, <span href="jav\nascript:bang">bar</span>} 200 result = sanitize(raw) 201 assert_equal %{href="j\nava\nscript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result 202 end 203 204 def test_sanitize_javascript_style_newlines 205 raw = %{style="javascript:bang" <a style='background:url("javascr\ni\npt:bang")' name="hello">foo</a>, <span style="background:url('jav\nascript:bang')">bar</span>} 206 result = sanitize(raw) 207 assert_equal %{style="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result 208 end 197 209 198 210 def test_cycle_class 199 211 value = Cycle.new("one", 2, "3") -
actionpack/lib/action_view/helpers/text_helper.rb
old new 174 174 # Sanitizes the given HTML by making form and script tags into regular 175 175 # text, and removing all "onxxx" attributes (so that arbitrary Javascript 176 176 # cannot be executed). Also removes href attributes that start with 177 # "javascript:". 177 # "javascript:" and style attributes that contain "javascript:" 178 # (since IE6 has been known to execute javascript: within inline styles). 178 179 # 179 180 # Returns the sanitized text. 180 181 def sanitize(html) … … 192 193 else 193 194 if node.closing != :close 194 195 node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS } 195 if node.attributes["href"] =~ /^javascript:/i 196 # Do not allow any href attribute w/ "javascript:" 197 # Even if there are newlines somewhere in the "javascript:" string, IE6 will execute 198 if node.attributes["href"] =~ /^j[\W]*a[\W]*v[\W]*a[\W]*s[\W]*c[\W]*r[\W]*i[\W]*p[\W]*t[\W]*:/i 196 199 node.attributes.delete "href" 197 200 end 201 # Remove any style attributes containing "javascript:" 202 if node.attributes["style"] =~ /j[\W]*a[\W]*v[\W]*a[\W]*s[\W]*c[\W]*r[\W]*i[\W]*p[\W]*t[\W]*:/i 203 node.attributes.delete "style" 204 end 198 205 end 199 206 node.to_s 200 207 end
