Ticket #8877: secure_text_helpers.diff
| File secure_text_helpers.diff, 3.1 kB (added by lifofifo, 1 year ago) |
|---|
-
actionpack/test/template/text_helper_test.rb
old new 47 47 end 48 48 49 49 def test_strip_links 50 assert_equal "Dont touch me", strip_links("Dont touch me") 50 51 assert_equal "on my mind\nall day long", strip_links("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>") 52 assert_equal "0wn3d", strip_links("<a href='http://www.rubyonrails.com/'><a href='http://www.rubyonrails.com/' onlclick='steal()'>0wn3d</a></a>") 53 assert_equal "Magic", strip_links("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic") 54 assert_equal "FrrFox", strip_links("<href onlclick='steal()'>FrrFox</a></href>") 55 assert_equal "My mind\nall <b>day</b> long", strip_links("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>") 56 assert_equal "all <b>day</b> long", strip_links("<<a>a href='hello'>all <b>day</b> long<</A>/a>") 51 57 end 52 58 53 59 def test_highlighter … … 363 369 end 364 370 365 371 def test_strip_tags 372 assert_equal("Dont touch me", strip_tags("Dont touch me")) 366 373 assert_equal("This is a test.", strip_tags("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>")) 374 assert_equal("Weirdos", strip_tags("Wei<<a>a onclick='alert(document.cookie);'</a>/>rdos")) 367 375 assert_equal("This is a test.", strip_tags("This is a test.")) 368 376 assert_equal( 369 377 %{This is a test.\n\n\nIt no longer contains any HTML.\n}, strip_tags( -
actionpack/lib/action_view/helpers/text_helper.rb
old new 322 322 # 323 323 # strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') 324 324 # # => Blog: Visit 325 def strip_links(text) 326 text.gsub(/<a\b.*?>(.*?)<\/a>/mi, '\1') 325 def strip_links(html) 326 # Stupid firefox treats '<href="http://whatever.com" onClick="alert()">something' as link! 327 if html.index("<a") || html.index("<href") 328 tokenizer = HTML::Tokenizer.new(html) 329 result = '' 330 while token = tokenizer.next 331 node = HTML::Node.parse(nil, 0, 0, token, false) 332 result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name) 333 end 334 strip_links(result) # Recurse - handle all dirty nested links 335 else 336 html 337 end 327 338 end 328 339 329 340 VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS) … … 405 416 end 406 417 # strip any comments, and if they have a newline at the end (ie. line with 407 418 # only a comment) strip that too 408 text.gsub(/<!--(.*?)-->[\n]?/m, "")419 strip_tags(text.gsub(/<!--(.*?)-->[\n]?/m, "")) # Recurse - handle all dirty nested tags 409 420 else 410 421 html # already plain text 411 422 end
