deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

More XSS fixes.

Browse source 
Started fixing file uploads.
This commit is contained in:
Jacques Distler 2007-02-21 12:10:47 -06:00
parent 59adca44cc
commit 0aafedb2df
2 changed files with 21 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
app/views/file/file.rhtml
View file

@ -7,20 +7,18 @@
<%= form_tag({ :controller => 'file', :web => @web_name, :action => 'file' }, <%= form_tag({ :controller => 'file', :web => @web_name, :action => 'file' },
{ 'multipart' => true , 'accept-charset' => 'utf-8' }) %> { 'multipart' => true , 'accept-charset' => 'utf-8' }) %>
<%= hidden_field 'file', 'file_name' %>
<div class="inputFieldWithPrompt"> <div class="inputFieldWithPrompt">
<b>Content of <%= h @file_name %> to upload <small>(required)</small>:</b> <%= hidden_field 'file', 'file_name' %>
<label for="file_content"><b>Content of <%= h @file_name %> to upload</b> (required):</label>
<br /> <br />
<input type="file" name="file[content]" size="40" /> <input type="file" id="file_content" name="file[content]" size="40" />
<br /> <br />
<small> Please note that the file you are uploading will be named <%= h @file_name %> on the wiki -
Please note that the file you are uploadng will be named <%= h @file_name %> on the wiki -
regardless of how it is named on your computer. To change the wiki name of the file, please go regardless of how it is named on your computer. To change the wiki name of the file, please go
<%= link_to :back %> and edit the wiki page that refers to the file. <%= link_to :back %> and edit the wiki page that refers to the file.
</small>
</div> </div>
<div class="inputFieldWithPrompt"> <div class="inputFieldWithPrompt">
<b>Description <small>(optional)</small>:</b> <label for="file_description"><b>Description</b> (optional):</label>
<br/> <br/>
<%= text_field "file", "description", "size" => 40 %> <%= text_field "file", "description", "size" => 40 %>
</div> </div>

13
lib/chunks/engines.rb
View file

@ -23,8 +23,13 @@ module Engines
end end
MY_VERBOTEN_TAGS = %w(form script plaintext object embed applet iframe frameset frame link meta body style html)
MY_VERBOTEN_ATTRS = /^on/i
class Textile < AbstractEngine class Textile < AbstractEngine
require_dependency 'action_view/helpers/text_helper' require_dependency 'action_view/helpers/text_helper'
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
def mask def mask
require_dependency 'redcloth' require_dependency 'redcloth'
@ -38,6 +43,8 @@ module Engines
class Markdown < AbstractEngine class Markdown < AbstractEngine
require_dependency 'action_view/helpers/text_helper' require_dependency 'action_view/helpers/text_helper'
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
def mask def mask
require_dependency 'maruku' require_dependency 'maruku'
@ -49,6 +56,8 @@ module Engines
class MarkdownMML < AbstractEngine class MarkdownMML < AbstractEngine
require_dependency 'action_view/helpers/text_helper' require_dependency 'action_view/helpers/text_helper'
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
def mask def mask
require_dependency 'maruku' require_dependency 'maruku'
@ -61,6 +70,8 @@ module Engines
class Mixed < AbstractEngine class Mixed < AbstractEngine
require_dependency 'action_view/helpers/text_helper' require_dependency 'action_view/helpers/text_helper'
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
def mask def mask
require_dependency 'redcloth' require_dependency 'redcloth'
@ -74,6 +85,8 @@ module Engines
class RDoc < AbstractEngine class RDoc < AbstractEngine
require_dependency 'action_view/helpers/text_helper' require_dependency 'action_view/helpers/text_helper'
ActionView::Helpers::TextHelper::VERBOTEN_TAGS = MY_VERBOTEN_TAGS
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS = MY_VERBOTEN_ATTRS
include ActionView::Helpers::TextHelper include ActionView::Helpers::TextHelper
def mask def mask
require_dependency 'rdocsupport' require_dependency 'rdocsupport'