Navigation

Changeset 4911

Timestamp:

09/03/06 00:02:14 (2 years ago)

Author:

rick

Message:

Update sanitize text helper to strip plaintext tags, and <img src=javascript:bang>. [Rick Olson]

Files:

r4908	r4911
1	1	SVN
	2
	3	* Update sanitize text helper to strip plaintext tags, and <img src="javascript:bang">. [Rick Olson]
2	4
3	5	* Update routing documentation. Closes #6017 [Nathan Witmer]

r4896	r4911
169	169	end
170	170
171		VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
	171	VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
172	172	VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
173	173
…	…
193	193	if node.closing != :close
194	194	node.attributes.delete_if { \|attr,v\| attr =~ VERBOTEN_ATTRS }
195		~~if node.attributes["href"] =~ /^javascript:/i~~
196		node.attributes.delete ~~"href"~~
	195	%w(href src).each do \|attr\|
	196	node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
197	197	end
198	198	end

r4896	r4911
196	196	end
197	197
	198	def test_sanitize_plaintext
	199	raw = "<plaintext><span>foo</span></plaintext>"
	200	result = sanitize(raw)
	201	assert_equal "<plaintext><span>foo</span></plaintext>", result
	202	end
	203
198	204	def test_sanitize_script
199	205	raw = "<script language=\"Javascript\">blah blah blah</script>"
…	…
212	218	result = sanitize(raw)
213	219	assert_equal %{href="javascript:bang" <a name='hello'>foo</a>, <span>bar</span>}, result
	220	end
	221
	222	def test_sanitize_image_src
	223	raw = %{src="javascript:bang" <img src="javascript:bang" width="5">foo</img>, <span src="javascript:bang">bar</span>}
	224	result = sanitize(raw)
	225	assert_equal %{src="javascript:bang" <img width='5'>foo</img>, <span>bar</span>}, result
214	226	end
215	227