Commit graph

764 commits

Author SHA1 Message Date
Jacques Distler a5e08f7bcc Rails_xss Plugin
I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
2010-05-26 00:27:49 -05:00
Jacques Distler d6be09e0f0 Fix some Helper Methods
It seems that (advertising to the contrary)
Rails's XSS Protection is enabled, by default
in 2.3.8. So needed to fix some helper methods.
2010-05-25 12:59:35 -05:00
Jacques Distler f0635301aa Update to Rails 2.3.8 2010-05-25 12:45:45 -05:00
Jacques Distler 6677b46cb4 A few more additions for the Sanitizer 2010-05-23 23:22:45 -05:00
Jacques Distler d2c4623bf7 HTML5 Doctype 2010-05-22 16:11:27 -05:00
Jacques Distler 8149c29324 More HTML5 Attribute support in Maruku 2010-05-22 15:21:06 -05:00
Jacques Distler 2781890832 Updated Sanitizer for HTML5
Sanitizer should recognize HTML elements
and attributes.

New Allowed Elements:

  article aside audio canvas command details
  dialog figcaption figure footer header
  hgroup mark meter nav progress rp rt ruby
  section source summary time video war 
       
(OK, audio and video were already there)

New Allowed Attributes:

  autocomplete contenteditable contextmenu
  draggable formaction icon low max min
  open optimum pattern placeholder preload
  pubdate required reversed  spellcheck step
  wrap

Attributes removed:

  abbr charset loopcount loopend loopstart
  noshade nowrap rev rules 


Maruku supports @start and @reversed on
ordered lists. It doesn't seem to support
IALs on li elements, so you still can't
attach @value to an li.
2010-05-22 14:34:08 -05:00
Jacques Distler d9d353a350 Some HTML5 audio/video attributes for the Sanitizer 2010-05-13 00:47:09 -05:00
Jacques Distler 80845297a3 This is even better 2010-05-11 01:10:59 -05:00
Jacques Distler 04a1727082 Select Saved SVG
When closing SVG-Edit, make the saved
svg selected.

Also, some SVG-Edit updates.
2010-05-11 00:38:21 -05:00
Jacques Distler fd9fc1455e Prefer Monkey-patching Rack Gem to Vendored Rack
This gets around a dreaded 

  in `load_missing_constant': Rack
  is not missing constant Handler! (ArgumentError)

error in latest Ruby 1.9.2-dev. (Ruby
1.8.x doesn't seem to care.)
2010-05-08 23:42:40 -05:00
Jacques Distler 10cf102544 More bogus namespace fixes 2010-04-28 16:44:07 -05:00
Jacques Distler 86a53d1dfa Task of Sisyphus: Filter bogus attributes generated by Gecko (again) 2010-04-28 11:54:56 -05:00
Jacques Distler d1678ceb49 Sync with SVG-Edit 2.5beta 2010-04-28 00:22:49 -05:00
Jacques Distler 79a2299363 Content-Type of Cached Files with Period in Name
Monkey patch to prevent ActionCache from overriding
the correct content-type header, when serving cached
pages with a "." in the name. (Thanks to Jason Blevins)

Also sync with latest SVG-Edit.
2010-04-18 12:55:02 -05:00
Jacques Distler 324cc12320 Gaussian Blur (and other fun stuff)
Sync with latest SVG-edit.
2010-04-12 00:33:24 -05:00
Jacques Distler 6d5db0739a Buglet in latest SVG-Edit
Sync with latest SVG-Edit.
Among other things, fixes Issue 512.
2010-04-06 13:39:21 -05:00
Jacques Distler da0c6a2ea1 Fix an SVG nonce bug
Dunno when this problem with randomized IDs arose.
But it's fixed now.

Also, sync with latest SVG-Edit.
2010-04-01 23:56:21 -05:00
Jacques Distler 18b5ea9aa6 Use Instiki's escapeHTML Method in Templates
Fixes bug reported by Toby Bartels.
2010-03-29 09:27:14 -05:00
Jacques Distler 5f66f8387e Latest SVG-Edit
Jquery-1.8, and config for extensions.
2010-03-25 02:22:55 -05:00
Jacques Distler 77cfc0d2e3 Connector extension should use configured defaults 2010-03-22 19:21:00 -05:00
Jacques Distler 3e6d7faec2 Sync with latest SVG-Edit 2010-03-18 10:32:47 -05:00
Jacques Distler 143fa30b78 Whoops!
Somehow these did not make it into the
last commit.
2010-03-15 23:42:04 -05:00
Jacques Distler 5167363a2d Sync with latest SVG-Edit
Loading of configuration data via URL query string.
Now no differences, from trunk, in svgcanvas.js or svg-edit.js.
2010-03-15 11:13:22 -05:00
Jacques Distler c946c331e1 Update extensions for new SVG-Edit API 2010-03-12 10:48:27 -06:00
Jacques Distler 9636cab11e Update to latet SVG-Edit API 2010-03-12 03:50:23 -06:00
Jacques Distler 7e7ae4c6f0 Radial Gradients
Sync with latest SVG-Edit, which 
supports radial gradients.
2010-03-10 19:02:40 -06:00
Jacques Distler 9ed0772978 Sync with latest SVG-Edit 2010-03-09 12:20:37 -06:00
Jacques Distler ae0274783d Small Fixes
Get rid of 'markdown' attribute on SVG-Edit
whitelist (it's no longer needed).

Slightly smarter detection of existing SVGs.
2010-03-06 18:28:51 -06:00
Jacques Distler d33b072cba The Task of Sisyphus
Correcting, and re-correcting the bugs in SVG-Edit.
2010-03-05 22:59:45 -06:00
Jacques Distler 5a5ff87286 Fix Bug in itex Extension
Firefox was too lenient, in allowing
you to append nodes from another document to
the svg canvas. Use adoptNode(), to do things
right. (Google Chrome is more strict about this.)
2010-03-05 16:19:12 -06:00
Jacques Distler e75c0cc81c Sync with latext SVG-Edit
Subpath tool.

Also make the itex tool a little more selective
(only applies to <foreignObject>s with a <math> firstChild.
2010-03-04 00:05:36 -06:00
Jacques Distler 932c42c24a More itex Metal Refactoring 2010-03-02 13:59:50 -06:00
Jacques Distler e07960a897 Efficiency improvements to itex endpoint
Benchmarks at up to twice as fast.
2010-03-01 21:10:13 -06:00
Jacques Distler a6bceb2a8e Ensure that itex endpoint returns well-formed XML
Since itex's \begin{svg}...\end{svg} syntax allows
the client to pass arbitrary junk through the document,
we need to check that the result is well-formed.

Use a pluggable XML parser: nokogiri, if installed,
REXML otherwise.
2010-03-01 12:27:04 -06:00
Jacques Distler 7b22daa784 Fix Revision 601
With tests, this time.
2010-02-28 23:51:33 -06:00
Jacques Distler 70aa50ad4b Make dnsbl_check respond more intelligently
Thanks to Toby Bartels for pointing out
the deficiencies of the previous version.
2010-02-28 19:23:37 -06:00
Jacques Distler dcfe870a02 Fix foreignObject
Fix SVG-Edit Issue 503.
Selecting a foreignObject was
mistakenly setting the stroke to 'none'.
2010-02-27 16:39:57 -06:00
Jacques Distler 519f81ab20 Try to make Jeff happy
Make use of a nonce for setting SVG-Edit IDs
option. By default, SVG-Edit behaves as before.
Calling svgCanvas.randomizeIds(true) gives our
behaviour, instead.

Also, sync with latest SVG-Edit (but disable,
for now, manual editing of IDs).
2010-02-27 09:49:02 -06:00
Jacques Distler 8a851eeab2 Sync with latest SVG-Edit
Fixes Issue 502 (Connector
lines are not re-editable).
2010-02-26 14:51:27 -06:00
Jacques Distler f7f1668e31 Fix killer bug when attempting to edit SVGs from prior SVG-Edit versions
D'Oh!
2010-02-25 10:56:18 -06:00
Jacques Distler aa0a151ba4 Uniquify IDs in SVG-Edit
Since we can have several SVG-Edit graphics
on a page, SVG-Edit should assign unique IDs
to elements, and do so in a fashion that survives
re-editing.

To do this, we use a nonce, and record its value in
a custom se:nonce attribute on the <svg> element.
(Is there a better way?). 

Also, preserve the custom se:connector attribute for
later editing purposes.
2010-02-25 02:25:16 -06:00
Jacques Distler c4003f79b3 Support SVG-Edit Custom Attribute(s)
Add support for se:connector attribute in
Instiki's Sanitizer.
2010-02-23 23:07:09 -06:00
Jacques Distler 4cd626ef49 Cleanup itex extension
Most of the DOM manipulations can be done
before doing the AJAX call. This leaves
just the insertion of the MathML nodes in the
mrow for the AJAX callback function.

Also, make the stroke-width for the connector tool 
default to 2.
2010-02-23 17:24:23 -06:00
Jacques Distler d201f79766 No Need to Double-Escape
Apparently, JQuery takes care of all of the
escaping we need. So ditch our own escaping
(which effectively double-escaped everything).
2010-02-23 10:16:14 -06:00
Jacques Distler 42d92a0b37 More ext-itex.js Fixes
Ajax is asynchronous. Need to 
sanitize in the callback function,
NOT when adding <math> to the DOM.

Need to unescape text for itex editor
window (since JQuery seems to take care
an 'extra' round of escaping).
2010-02-22 23:20:57 -06:00
Jacques Distler 85e0a2cb10 More tweaks
Make the AJAX endpoint configurable (this could still be
done better).
Use POST, rather than GET for the AJAX request, so that
we don't have to worry about overly-long equations.
2010-02-22 21:50:38 -06:00
Jacques Distler cb1fe51e84 Don't need an xmlns:xlink on the math element
itex2MML puts one on the mrows that are hyperlinks.
2010-02-22 21:35:29 -06:00
Jacques Distler 47524a7104 Small tweak to itex metal 2010-02-22 19:13:46 -06:00
Jacques Distler a1654f1e99 Sync with latest SVG-Edit 2010-02-22 18:53:15 -06:00