Whoops!
In some circumstances, the new Sanitizer was double-escaping text nodes. Fixed (with unit test).
This commit is contained in:
parent
45405fc97e
commit
f6508de6dd
4 changed files with 20 additions and 9 deletions
|
@ -149,7 +149,7 @@ module Sanitizer
|
|||
end
|
||||
node.attributes.each do |attr,val|
|
||||
if String === val
|
||||
node.attributes[attr] = CGI.escapeHTML(CGI.unescapeHTML(val))
|
||||
node.attributes[attr] = val.unescapeHTML.escapeHTML
|
||||
else
|
||||
node.attributes.delete attr
|
||||
end
|
||||
|
|
|
@ -2214,7 +2214,9 @@ class String
|
|||
def escapeHTML
|
||||
self.gsub( /&/, "&" ).
|
||||
gsub( /</, "<" ).
|
||||
gsub( />/, ">" )
|
||||
gsub( />/, ">" ).
|
||||
gsub(/'/, "'" ).
|
||||
gsub(/"/, """ )
|
||||
end
|
||||
|
||||
def unescapeHTML
|
||||
|
@ -2224,6 +2226,8 @@ class String
|
|||
when /\Aamp\z/ni then '&'
|
||||
when /\Agt\z/ni then '>'
|
||||
when /\Alt\z/ni then '<'
|
||||
when /\Aquot\z/ni then '"'
|
||||
when /\Aapos\z/ni then "'"
|
||||
when /\A#0*(\d+)\z/n then
|
||||
if Integer($1) < 256
|
||||
Integer($1).chr
|
||||
|
|
|
@ -3,14 +3,14 @@
|
|||
"name": "IE_Comments",
|
||||
"input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->",
|
||||
"output": "",
|
||||
"xhtml": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->"
|
||||
"xhtml": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->"
|
||||
},
|
||||
|
||||
{
|
||||
"name": "IE_Comments_2",
|
||||
"input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
|
||||
"output": "<script>alert('XSS');</script>",
|
||||
"xhtml": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
|
||||
"xhtml": "<![if !IE 5]><script>alert('XSS');</script><![endif]>",
|
||||
"rexml": "Ill-formed XHTML!"
|
||||
},
|
||||
|
||||
|
@ -359,7 +359,7 @@
|
|||
"name": "should_sanitize_script_tag_with_multiple_open_brackets",
|
||||
"input": "<<script>alert(\"XSS\");//<</script>",
|
||||
"output": "<<script>alert(\"XSS\");//<</script>",
|
||||
"xhtml": "<<script>alert(\"XSS\");//<</script>",
|
||||
"xhtml": "<<script>alert("XSS");//<</script>",
|
||||
"rexml": "Ill-formed XHTML!"
|
||||
},
|
||||
|
||||
|
@ -375,7 +375,7 @@
|
|||
"name": "should_sanitize_tag_broken_up_by_null",
|
||||
"input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>",
|
||||
"output": "<scr\ufffdipt>alert(\"XSS\")</scr\ufffdipt>",
|
||||
"xhtml": "<scr>alert(\"XSS\")</scr>",
|
||||
"xhtml": "<scr>alert("XSS")</scr>",
|
||||
"rexml": "Ill-formed XHTML!"
|
||||
},
|
||||
|
||||
|
|
|
@ -101,6 +101,13 @@ class PageRendererTest < Test::Unit::TestCase
|
|||
%{<p>This is a code block:</p>\n\n<pre><code>def a_method(arg)\n} +
|
||||
%{return ThatWay</code></pre>\n\n<p>Nice!</p>},
|
||||
code_block)
|
||||
|
||||
assert_markup_parsed_as(%{<p>You then needed to edit (or create) a user.js file in} +
|
||||
%{ your Mozilla profile, which read either (<span class='newWikiWord'>Mac OSX<a h} +
|
||||
%{ref='../show/MacOSX'>?</a></span>)</p>\n\n<pre><code> user_pref("font.mat} +
|
||||
%{hfont-family", "Math1,Math2,Math4,Symbol");</code></pre>},
|
||||
%{You then needed to edit (or create) a user.js file in your Mozilla profile, whic} +
|
||||
%{h read either (MacOSX)\n\n user_pref("font.mathfont-family", "Math1,Math2,Math4,Symbol");})
|
||||
|
||||
assert_markup_parsed_as(
|
||||
%{<p><math class='maruku-mathml' } +
|
||||
|
@ -299,7 +306,7 @@ class PageRendererTest < Test::Unit::TestCase
|
|||
|
||||
def test_sanitize_nowiki_tag
|
||||
assert_markup_parsed_as(
|
||||
'<p>[[test]]&<a href=\'a&b\'>shebang</a> <script>alert("xss!");</script> *foo*</p>',
|
||||
'<p>[[test]]&<a href=\'a&b\'>shebang</a> <script>alert("xss!");</script> *foo*</p>',
|
||||
'<nowiki>[[test]]&<a href="a&b">shebang</a> <script>alert("xss!");</script> *foo*</nowiki>')
|
||||
end
|
||||
|
||||
|
@ -349,7 +356,7 @@ class PageRendererTest < Test::Unit::TestCase
|
|||
|
||||
def test_difficult_wiki_words
|
||||
@revision.content = "[[It's just awesome GUI!]]"
|
||||
assert_equal "<p><span class='newWikiWord'>It's just awesome GUI!" +
|
||||
assert_equal "<p><span class='newWikiWord'>It's just awesome GUI!" +
|
||||
"<a href='../show/It%27s+just+awesome+GUI%21'>?</a></span></p>",
|
||||
test_renderer(@revision).display_content
|
||||
end
|
||||
|
@ -366,7 +373,7 @@ class PageRendererTest < Test::Unit::TestCase
|
|||
|
||||
def test_nowiki_sanitization
|
||||
assert_markup_parsed_as('<p>This sentence contains <span>a & b</span> ' +
|
||||
'<script>alert("XSS!");</script>. Do not touch!</p>',
|
||||
'<script>alert("XSS!");</script>. Do not touch!</p>',
|
||||
'This sentence contains <nowiki><span>a & b</span> <script>alert("XSS!");' +
|
||||
'</script></nowiki>. Do not touch!')
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue