Ticket #8222: sanitize_ie_for_edge_cases.diff

File sanitize_ie_for_edge_cases.diff, 2.4 kB (added by wycats, 1 year ago)

actionpack/test/template/text_helper_test.rb

old	new
279	279	assert_equal %{src="javascript:bang" <img width="5">foo</img>, <span>bar</span>}, result
280	280	end
281	281
	282	def test_sanitize_behavior
	283	raw = %{style="behavior: url(foo.htc)" <div style="behavior: url(foo.htc)">foo</div>}
	284	result = sanitize(raw)
	285	assert_equal %{style="behavior: url(foo.htc)" <div>foo</div>}, result
	286	raw = %{style="_beHaVior : url ( foo.htc)" <div style="_beHaVior : url ( foo.htc)">foo</div>}
	287	result = sanitize(raw)
	288	assert_equal %{style="_beHaVior : url ( foo.htc)" <div>foo</div>}, result
	289	end
	290
	291	def test_sanitize_expression
	292	raw = %{style="expression(evilJS)" <div style="width: expression(evilJS)">foo</div>}
	293	result = sanitize(raw)
	294	assert_equal %{style="expression(evilJS)" <div>foo</div>}, result
	295	raw = %{style="_eXpressiOn ( evilJS)" <div style="width: _eXpressiOn ( evilJS)">foo</div>}
	296	result = sanitize(raw)
	297	assert_equal %{style="_eXpressiOn ( evilJS)" <div>foo</div>}, result
	298	end
	299
282	300	def test_cycle_class
283	301	value = Cycle.new("one", 2, "3")
284	302	assert_equal("one", value.to_s)

old	new
202	202
203	203	VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
204	204	VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
	205	VERBOTEN_STYLE = /(expression\|behavior)/i unless defined?(VERBOTEN_STYLE)
205	206
206	207	# Sanitizes the +html+ by converting <form> and <script> tags into regular
207	208	# text, and removing all "onxxx" attributes (so that arbitrary Javascript
…	…
228	229	else
229	230	if node.closing != :close
230	231	node.attributes.delete_if { \|attr,v\| attr =~ VERBOTEN_ATTRS }
	232	node.attributes.delete_if { \|attr,v\| attr == "style" && v =~ VERBOTEN_STYLE }
231	233	%w(href src).each do \|attr\|
232	234	node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
233	235	end