More XSS fixes.

Started fixing file uploads.

app/views/file/file.rhtml

@@ -7,20 +7,18 @@
 
 <%= form_tag({ :controller => 'file', :web => @web_name, :action => 'file' }, 
         { 'multipart' => true , 'accept-charset' => 'utf-8' }) %>
-  <%= hidden_field 'file', 'file_name' %>
   <div class="inputFieldWithPrompt">
-    <b>Content of <%= h @file_name %> to upload <small>(required)</small>:</b>
-    <br/>
-    <input type="file" name="file[content]" size="40" />
-    <br/>
-    <small>
-    Please note that the file you are uploadng will be named <%= h @file_name %> on the wiki - 
+    <%= hidden_field 'file', 'file_name' %>
+    <label for="file_content"><b>Content of <%= h @file_name %> to upload</b> (required):</label>
+    <br />
+    <input type="file" id="file_content" name="file[content]" size="40" />
+    <br />
+    Please note that the file you are uploading will be named <%= h @file_name %> on the wiki - 
     regardless of how it is named on your computer. To change the wiki name of the file, please go 
     <%= link_to :back %> and edit the wiki page that refers to the file.
-    </small>
   </div>
   <div class="inputFieldWithPrompt">
-    <b>Description <small>(optional)</small>:</b>
+    <label for="file_description"><b>Description</b> (optional):</label>
     <br/>
     <%= text_field "file", "description", "size" => 40 %>
   </div>
@@ -30,4 +28,4 @@
             :onfocus => "this.value == 'AnonymousCoward' ? this.value = '' : true;",
             :onblur  => "this.value == '' ? this.value = 'AnonymousCoward' : true" %>
   </div>
-<%= end_form_tag %>
+<%= end_form_tag %>

lib/chunks/engines.rb

@@ -23,8 +23,13 @@ module Engines
 
   end
 
+  MY_VERBOTEN_TAGS = %w(form script plaintext object embed applet iframe frameset frame link meta body style html) 
+  MY_VERBOTEN_ATTRS = /^on/i
+
   class Textile < AbstractEngine
     require_dependency 'action_view/helpers/text_helper'
+    ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
+    ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
     include ActionView::Helpers::TextHelper
     def mask
       require_dependency 'redcloth'
@@ -38,6 +43,8 @@ module Engines
 
   class Markdown < AbstractEngine
     require_dependency 'action_view/helpers/text_helper'
+    ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
+    ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
     include ActionView::Helpers::TextHelper
     def mask
       require_dependency 'maruku'
@@ -49,6 +56,8 @@ module Engines
 
   class MarkdownMML < AbstractEngine
     require_dependency 'action_view/helpers/text_helper'
+    ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
+    ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
     include ActionView::Helpers::TextHelper
     def mask
       require_dependency 'maruku'
@@ -61,6 +70,8 @@ module Engines
 
   class Mixed < AbstractEngine
     require_dependency 'action_view/helpers/text_helper'
+    ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
+    ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
     include ActionView::Helpers::TextHelper
     def mask
       require_dependency 'redcloth'
@@ -74,6 +85,8 @@ module Engines
 
   class RDoc < AbstractEngine
     require_dependency 'action_view/helpers/text_helper'
+    ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
+    ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
     include ActionView::Helpers::TextHelper
     def mask
       require_dependency 'rdocsupport'