More XSS fixes.
Started fixing file uploads.
This commit is contained in:
parent
59adca44cc
commit
0aafedb2df
2 changed files with 21 additions and 10 deletions
|
@ -7,20 +7,18 @@
|
|||
|
||||
<%= form_tag({ :controller => 'file', :web => @web_name, :action => 'file' },
|
||||
{ 'multipart' => true , 'accept-charset' => 'utf-8' }) %>
|
||||
<%= hidden_field 'file', 'file_name' %>
|
||||
<div class="inputFieldWithPrompt">
|
||||
<b>Content of <%= h @file_name %> to upload <small>(required)</small>:</b>
|
||||
<br/>
|
||||
<input type="file" name="file[content]" size="40" />
|
||||
<br/>
|
||||
<small>
|
||||
Please note that the file you are uploadng will be named <%= h @file_name %> on the wiki -
|
||||
<%= hidden_field 'file', 'file_name' %>
|
||||
<label for="file_content"><b>Content of <%= h @file_name %> to upload</b> (required):</label>
|
||||
<br />
|
||||
<input type="file" id="file_content" name="file[content]" size="40" />
|
||||
<br />
|
||||
Please note that the file you are uploading will be named <%= h @file_name %> on the wiki -
|
||||
regardless of how it is named on your computer. To change the wiki name of the file, please go
|
||||
<%= link_to :back %> and edit the wiki page that refers to the file.
|
||||
</small>
|
||||
</div>
|
||||
<div class="inputFieldWithPrompt">
|
||||
<b>Description <small>(optional)</small>:</b>
|
||||
<label for="file_description"><b>Description</b> (optional):</label>
|
||||
<br/>
|
||||
<%= text_field "file", "description", "size" => 40 %>
|
||||
</div>
|
||||
|
@ -30,4 +28,4 @@
|
|||
:onfocus => "this.value == 'AnonymousCoward' ? this.value = '' : true;",
|
||||
:onblur => "this.value == '' ? this.value = 'AnonymousCoward' : true" %>
|
||||
</div>
|
||||
<%= end_form_tag %>
|
||||
<%= end_form_tag %>
|
||||
|
|
|
@ -23,8 +23,13 @@ module Engines
|
|||
|
||||
end
|
||||
|
||||
MY_VERBOTEN_TAGS = %w(form script plaintext object embed applet iframe frameset frame link meta body style html)
|
||||
MY_VERBOTEN_ATTRS = /^on/i
|
||||
|
||||
class Textile < AbstractEngine
|
||||
require_dependency 'action_view/helpers/text_helper'
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
|
||||
include ActionView::Helpers::TextHelper
|
||||
def mask
|
||||
require_dependency 'redcloth'
|
||||
|
@ -38,6 +43,8 @@ module Engines
|
|||
|
||||
class Markdown < AbstractEngine
|
||||
require_dependency 'action_view/helpers/text_helper'
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
|
||||
include ActionView::Helpers::TextHelper
|
||||
def mask
|
||||
require_dependency 'maruku'
|
||||
|
@ -49,6 +56,8 @@ module Engines
|
|||
|
||||
class MarkdownMML < AbstractEngine
|
||||
require_dependency 'action_view/helpers/text_helper'
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
|
||||
include ActionView::Helpers::TextHelper
|
||||
def mask
|
||||
require_dependency 'maruku'
|
||||
|
@ -61,6 +70,8 @@ module Engines
|
|||
|
||||
class Mixed < AbstractEngine
|
||||
require_dependency 'action_view/helpers/text_helper'
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
|
||||
include ActionView::Helpers::TextHelper
|
||||
def mask
|
||||
require_dependency 'redcloth'
|
||||
|
@ -74,6 +85,8 @@ module Engines
|
|||
|
||||
class RDoc < AbstractEngine
|
||||
require_dependency 'action_view/helpers/text_helper'
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
|
||||
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
|
||||
include ActionView::Helpers::TextHelper
|
||||
def mask
|
||||
require_dependency 'rdocsupport'
|
||||
|
|
Loading…
Reference in a new issue