Fix XSS vulnerabilities in chunk-handling

2007-09-23 19:30:39 +00:00 · 2007-09-23 19:30:39 +00:00 · a3d3f1c536
commit a3d3f1c536
parent 36b86a9d41
6 changed files with 55 additions and 3 deletions
--- a/lib/chunks/nowiki.rb
+++ b/lib/chunks/nowiki.rb
@ -13,6 +13,10 @@ require 'chunks/chunk'
 #
 # Author: Mark Reid <mark at threewordslong dot com>
 # Created: 8th June 2004
+
+require 'sanitize'
+include Sanitize
+
 class NoWiki < Chunk::Abstract

  NOWIKI_PATTERN = Regexp.new('<nowiki>(.*?)</nowiki>', Regexp::MULTILINE)
@ -22,7 +26,7 @@ class NoWiki < Chunk::Abstract

  def initialize(match_data, content)
    super
-    @plain_text = @unmask_text = match_data[1]
+    @plain_text = @unmask_text = sanitize_html(match_data[1])
  end

 end