deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Security: Sanitize <nowiki>

Browse source 
Another XSS hole: the contents of <nowiki>...</nowiki> was not being sanitized.
This commit is contained in:
Jacques Distler 2007-09-10 22:35:50 -05:00
parent 9035c98dc5
commit 119ab342dc
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/chunks/nowiki.rb
View file

@ -13,6 +13,10 @@ require 'chunks/chunk'
# #
# Author: Mark Reid <mark at threewordslong dot com> # Author: Mark Reid <mark at threewordslong dot com>
# Created: 8th June 2004 # Created: 8th June 2004
require 'sanitize'
include Sanitize
class NoWiki < Chunk::Abstract class NoWiki < Chunk::Abstract
NOWIKI_PATTERN = Regexp.new('<nowiki>(.*?)</nowiki>', Regexp::MULTILINE) NOWIKI_PATTERN = Regexp.new('<nowiki>(.*?)</nowiki>', Regexp::MULTILINE)
@ -22,7 +26,7 @@ class NoWiki < Chunk::Abstract
def initialize(match_data, content) def initialize(match_data, content)
super super
@plain_text = @unmask_text = match_data[1] @plain_text = @unmask_text = sanitize_xhtml(match_data[1])
end end
end end