Commit graph

137 commits

Author SHA1 Message Date
Jacques Distler a5e08f7bcc Rails_xss Plugin
I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
2010-05-26 00:27:49 -05:00
Jacques Distler f0635301aa Update to Rails 2.3.8 2010-05-25 12:45:45 -05:00
Jacques Distler 8149c29324 More HTML5 Attribute support in Maruku 2010-05-22 15:21:06 -05:00
Jacques Distler 2781890832 Updated Sanitizer for HTML5
Sanitizer should recognize HTML elements
and attributes.

New Allowed Elements:

  article aside audio canvas command details
  dialog figcaption figure footer header
  hgroup mark meter nav progress rp rt ruby
  section source summary time video war 
       
(OK, audio and video were already there)

New Allowed Attributes:

  autocomplete contenteditable contextmenu
  draggable formaction icon low max min
  open optimum pattern placeholder preload
  pubdate required reversed  spellcheck step
  wrap

Attributes removed:

  abbr charset loopcount loopend loopstart
  noshade nowrap rev rules 


Maruku supports @start and @reversed on
ordered lists. It doesn't seem to support
IALs on li elements, so you still can't
attach @value to an li.
2010-05-22 14:34:08 -05:00
Jacques Distler 7b22daa784 Fix Revision 601
With tests, this time.
2010-02-28 23:51:33 -06:00
Jacques Distler 70aa50ad4b Make dnsbl_check respond more intelligently
Thanks to Toby Bartels for pointing out
the deficiencies of the previous version.
2010-02-28 19:23:37 -06:00
Jacques Distler 7b7d2e80dc More Array -> Set
Make the syntax colouring run faster.
2010-01-02 11:22:12 -06:00
Jacques Distler c212a53ad8 Updated License from Jason
Jason's fenced codeblock code is now
BSD Licensed.
2010-01-01 21:51:01 -06:00
Jacques Distler 9fe467ee36 Tweak SQLite Syntax Colouring 2010-01-01 20:18:10 -06:00
Jacques Distler f66fc4de4d Fenced Code Blocks, Fortran Syntax Colouring
Support Marhdown Extra's fenced code blocks. [From Jason Blevins]
Fortran syntax colouring. [From Jason Blevins]
Turn on Syntax colouring, by default.
Point to Michel Fortin's Markdown Extra page.
2009-12-31 15:54:01 -06:00
Jacques Distler a705709f9a Vendor Rack 1.1
Also clean up some View stuff.
2009-12-26 14:00:18 -06:00
Jacques Distler 77014652a3 Add Some Obsolete HTML Elements
Recognize some obsolete, but commonly-used,
HTML elements in the CSS syntax colourer.
2009-12-25 12:00:48 -06:00
Jacques Distler c1420153d8 Update CSS Syntax Colouring for HTML5
Update the list of elements to what you
would encounter in an HTML5 document.
2009-12-25 04:16:03 -06:00
Jacques Distler f06e6c004b Ruby 1.9 Compatibility of Vendored Syntax Library
The CSS language support of the syntax
colourer was broken under Ruby 1.9
2009-12-25 03:17:06 -06:00
Jacques Distler 3ab7327cea Whoops! Also Update Maruku
Support syntax-colouring for
lang=css
2009-12-24 12:25:44 -06:00
Jacques Distler af0f607e75 Syntax Colouring
New syntax colouring modes.
In addition to the existing
  html, xml, ruby
we now support
  yaml, ansic, javascript, sqlite, css
2009-12-24 00:45:45 -06:00
Jacques Distler 1d32d45944 Upgrade Vendored rubyzip to Version 0.9.3 2009-12-23 02:19:16 -06:00
Jacques Distler a71e64a172 Update Vendored sqlite3-ruby 2009-12-22 20:48:32 -06:00
Jacques Distler 76f388f3e2 Vendor Rack 1.0.1
Incorporate patch from Revision 496.
2009-12-18 20:16:58 -06:00
Jacques Distler f7044ecbb4 Ruby 1.9.1 Fixes
Some more fixes to deal with Ruby 1.9.1.
2009-12-02 12:46:15 -06:00
Jacques Distler 063a8ca5a7 Fix Maruku Ruby 1.9 Bug
In Rbuy 1.8, ?c returns an integer.
In Ruby 1.9, it returns a 1-character
string. This was causing one of our
LaTeX conversion functional tests to
fail.
Fixed.
2009-12-01 21:29:07 -06:00
Jacques Distler a6429f8c22 Ruby 1.9 Compatibility
Completely removed the html5lib sanitizer.
Fixed the string-handling to work in both
Ruby 1.8.x and 1.9.2. There are still,
inexplicably, two functional tests that
fail. But the rest seems to work quite well.
2009-11-30 16:28:18 -06:00
Jacques Distler 2f3ff9f651 Efficiency
There's a moderate efficiency gain to be had by
using Set#include?, rather than Array#include?
in the sanitizer.
2009-10-08 16:22:50 -05:00
Jacques Distler 698daecf0e Maruku "Email" Header Detection
The Regexp, used in Maruku to detect "email"
headers (used, e.g., for S5 slideshow metadata)
could, for some inputs, interact badly with
Instiki's Chunk Handler.
Fixed.
2009-07-13 23:59:09 -05:00
Jacques Distler ef5878cf11 Put class name on <pre>, rather than <code>
Better CSS styling options ensue, if we put
the class='lang' on the <pre> element.

(Suggested by Casper Gripenberg)
2009-07-06 15:30:35 -05:00
Jacques Distler a84648cff1 Fix Maruku Escaping Bug
Sync with latest Maruku (now on github).
lib/maruku/ext/math/mathml_engines/none.rb should
HTML-escape the TeX source code. No it does.
2009-05-13 01:27:39 -05:00
Jacques Distler ec7141942b Instiki 0.16.6
Fix an incompatiblity between form_spam_protect and IE7.
(Thanks to Jason Blevins)
Roll a new version.
2009-05-08 16:13:25 -05:00
Jacques Distler 681065631c Add Support for SVG Clipping Paths
Add support in the sanitizer for <clipPath>, @clip-path and @clip-rule.
Suggested by Andrew Stacey.
2009-05-07 16:53:56 -05:00
Jacques Distler e33ccad293 Remove list.dsbl.org
The dnsbl list at list.dsbl.org is defunct.
Also: a Ruby 1.9 compatiblity tweak for Maruku.
2009-05-03 00:57:07 -05:00
Jacques Distler d425a70fad Yikes!
Yet more dangerously greedy Regexps in Maruku,
and one of my own.
2009-03-27 09:25:08 -05:00
Jacques Distler 7403ea6a6b Don't be greedy!
Maruku uses greedy Regexps in a number of places, which,
in unfavourable circumstances, can lead to exponential
slowdowns (an apparent hang).

We worked around one such bug in Revision 355. Recently,
Toby Bartels found another (in Table Header parsing).
The "real" solution seems to be to make sure the Regexps
are not greedy. (Thanks to Sam Ruby for spotting the problem!)

Reverted the workaround in Revision 355, fixed Toby's
bug, and several other similar Regexps.
2009-03-27 02:44:49 -05:00
Jacques Distler c7418af48d Support for HTML5 <audio>
As with <video>,

   [[foo.wav:audio]]

works now, producing an HTML5 <audio> element.
2009-03-03 12:17:14 -06:00
Jacques Distler 8ea8b6a8f7 <video> and x-sendfile
Using <object> and <embed> were forbidden for obvious
security reasons. Instiki now permits embedding video
via the HTML5 <video> element (Ogg/Theora encoded videos
only, with .ogg or .ogv extensions). You can even upload
videos with

    [[foo.ogg:video]]

Instiki now support x-sendfile. See the Proxying page for
configuring Apache (with the x-sendfile module). Lighttpd
should work similarly.

Update Rails to latest Edge (hopefully converging on RC2!).
2009-03-02 02:32:25 -06:00
Jacques Distler 133c21b801 Bugfixes and Rails Edge
Update to Rails 2.3.1.
  (Actually, not quite. Doesn't look like 2.3.1 will be released
   today, but I REALLY want to push these bugfixes out.)
Removed bundled Rack (Rails 2.3.1 comes bundled with Rack 1.0).
Add
     config.action_view.cache_template_loading = true
  to production environment.
Fix FastCGI bug (http://rubyforge.org/tracker/index.php?func=detail&aid=24191&group_id=186&atid=783).
Fix WikiWords bug (http://rubyforge.org/pipermail/instiki-users/2009-February/001181.html).
2009-02-27 19:23:00 -06:00
Jacques Distler 53751a61f0 Fix Maruku Hanging Bug
A Maruku-syntax <div> with an unclosed IAL (and, it seems, at least one equation)
would cause Instiki to hang. Badly. Requiring a 'kill -9' to terminate it.
Reverting the OpenDiv and CloseDiv Regexps to my, more simple-minded, versions
fixes the problem.
2009-02-09 22:20:34 -06:00
Jacques Distler 4e14ccc74d Instiki 0.16.3: Rails 2.3.0
Instiki now runs on the Rails 2.3.0 Candidate Release.
Among other improvements, this means that it now 
automagically selects between WEBrick and Mongrel.

Just run

    ./instiki --daemon
2009-02-04 14:26:08 -06:00
Jacques Distler b80995dbdc Equation Numbering in Maruku+itex2MML
This was spooged by Revision #263 (to accommodate) BlahTeX/PNG support.
Hopefully this way will work in both modes.
2009-01-24 11:40:53 -06:00
Jacques Distler 52c1f74ecc Add a couple of XSS tests.
Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.

Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.
2009-01-05 16:25:27 -06:00
Jacques Distler 3929fceaf8 Fix buglet in xhtmldiff
Fixes one of two formely broken unit tests.
2008-12-18 22:12:23 -06:00
Jacques Distler 5d2b0da4d5 Faster
Update dnsbl_check plugin to latest version.
Update Maruku to latest version.
In the wiki_controller, only apply the dnsbl_check before_filter 
  to the :edit, :new, and :save actions, instead of all actions.
  This makes mundane "show" requests faster, but does not 
  compromise spam-fighting ability.
2008-12-16 00:40:30 -06:00
Jacques Distler 65c08e1090 Update SQLite3 Drivers
Update bundled drivers to version 1.2.4.
2008-12-15 14:45:15 -06:00
Jacques Distler 5d7d89d193 Fix Slowdown in Sanitizer Regexp
Deal with the issue:

   http://code.google.com/p/html5lib/issues/detail?id=83

by fixing a regexp used for sanitizing inline style attributes.
2008-12-09 08:54:35 -06:00
Jacques Distler 7e66134e2f Update Maruku Author List
Yay, me!
2008-12-05 12:31:44 -06:00
Jacques Distler 11930dfabd Update HTML5lib Sanitizer Test, Accordingly 2008-12-01 14:11:57 -06:00
Jacques Distler af8157130a Clarify form_spam_protection Error Message
You need cookies enabled, too (since Instiki stores session data in a cookie).
2008-11-30 17:44:21 -06:00
Jacques Distler bceb1864df Fixes
Fix Session CookieOverflow bug when rescuing an InstikiValidation error.
Fix some random things which will cause problems with Ruby 1.9. (Plenty
more where those came from.)
2008-11-05 22:24:14 -06:00
Jacques Distler 39348c65c2 Make Andrea Happy
Use a counter, instead of rand() to aid in generating unique IDs in Maruku.
Add Unit test for the Theorem Environment.
2008-10-25 00:52:59 -05:00
Jacques Distler e48b000c11 Tweak from Ari Stern
Match Maruku Revision 184: change wrapper for embedded TeX in display equation from
a <div> to a <span>.
2008-10-23 22:44:53 -05:00
Jacques Distler 0fdb13b257 Whoops! Forgot one.
This fixes LaTeX output for Theorem cross-refs.
2008-10-21 00:26:31 -05:00
Jacques Distler 2fb41f12ce Automatic Theorem Numbering
Can now refer to numbered theorems by \ref{...}, as in LaTeX
2008-10-20 00:24:22 -05:00