I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.
As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
Sanitizer should recognize HTML elements
and attributes.
New Allowed Elements:
article aside audio canvas command details
dialog figcaption figure footer header
hgroup mark meter nav progress rp rt ruby
section source summary time video war
(OK, audio and video were already there)
New Allowed Attributes:
autocomplete contenteditable contextmenu
draggable formaction icon low max min
open optimum pattern placeholder preload
pubdate required reversed spellcheck step
wrap
Attributes removed:
abbr charset loopcount loopend loopstart
noshade nowrap rev rules
Maruku supports @start and @reversed on
ordered lists. It doesn't seem to support
IALs on li elements, so you still can't
attach @value to an li.
This gets around a dreaded
in `load_missing_constant': Rack
is not missing constant Handler! (ArgumentError)
error in latest Ruby 1.9.2-dev. (Ruby
1.8.x doesn't seem to care.)
Since we can have several SVG-Edit graphics
on a page, SVG-Edit should assign unique IDs
to elements, and do so in a fashion that survives
re-editing.
To do this, we use a nonce, and record its value in
a custom se:nonce attribute on the <svg> element.
(Is there a better way?).
Also, preserve the custom se:connector attribute for
later editing purposes.
Fix http://bug.to/issues/show/335
and
http://bug.to/issues/show/334
We now bundle the uploaded files directory
(and the public/ directory for the (X)HTML
export) in the Zipball when exporting a Web.
Also, correct the Print View to produce proper links
uploaded files.
Completely removed the html5lib sanitizer.
Fixed the string-handling to work in both
Ruby 1.8.x and 1.9.2. There are still,
inexplicably, two functional tests that
fail. But the rest seems to work quite well.
Touch the tmp/restart.txt file, when
rotatingthe log files. Otherwise, multiple
workers may try to rotate the log files
at the same time, with sub-optimal results.
Also, an aesthetic tweak to the url_generator.
% rake upgrade_instiki
fixes some potential problems in the database column types.
Revision content can now be up to 16MB.
Under MySQL, the previous limit was 64KB.
Page names can now be up to 255 bytes.
Under MySQL, the previous limit was 60 bytes.
Additional CSS styles can now be up to 64KB.
Under MySQL, the previous limit was 255 bytes.
Thanks to Andrew Stacey for reporting these.
Apply the same methodology, as in Revision 432,
to the category chunk-handler. This completes
the replacement of all the code that looks like
if string.is_utf8?
do something
else
complain
end
with code that looks like
string.purify
do something
Previously, if the user tried to submit content which was
malformed utf-8, Instiki would complain loudly to him.
A slightly more user-friendly approach was suggested by
the latest Rails 2.3.4, and a conversation with Sam Ruby
(who suggested some improvements).
Now, instead of complaining, we remove the offending bytes,
leaving a well-formed utf-8 string, which we pretend is what
the user meant to submit.