Commit graph

172 commits

Author SHA1 Message Date
Jacques Distler a5e08f7bcc Rails_xss Plugin
I installed the rails_xss plugin, for
the main purpose of seeing what will
break with Rails 3.0 (where the behaviour
of the plugin is the default). I think
I've fixed everything, but let me know if you
see stuff that is HTML-escaped, which
shouldn't be.

As a side benefit, we now use Erubis,
rather than ERB, to render templates.
They tell me it's faster ...
2010-05-26 00:27:49 -05:00
Jacques Distler f0635301aa Update to Rails 2.3.8 2010-05-25 12:45:45 -05:00
Jacques Distler 6677b46cb4 A few more additions for the Sanitizer 2010-05-23 23:22:45 -05:00
Jacques Distler 2781890832 Updated Sanitizer for HTML5
Sanitizer should recognize HTML elements
and attributes.

New Allowed Elements:

  article aside audio canvas command details
  dialog figcaption figure footer header
  hgroup mark meter nav progress rp rt ruby
  section source summary time video war 
       
(OK, audio and video were already there)

New Allowed Attributes:

  autocomplete contenteditable contextmenu
  draggable formaction icon low max min
  open optimum pattern placeholder preload
  pubdate required reversed  spellcheck step
  wrap

Attributes removed:

  abbr charset loopcount loopend loopstart
  noshade nowrap rev rules 


Maruku supports @start and @reversed on
ordered lists. It doesn't seem to support
IALs on li elements, so you still can't
attach @value to an li.
2010-05-22 14:34:08 -05:00
Jacques Distler d9d353a350 Some HTML5 audio/video attributes for the Sanitizer 2010-05-13 00:47:09 -05:00
Jacques Distler fd9fc1455e Prefer Monkey-patching Rack Gem to Vendored Rack
This gets around a dreaded 

  in `load_missing_constant': Rack
  is not missing constant Handler! (ArgumentError)

error in latest Ruby 1.9.2-dev. (Ruby
1.8.x doesn't seem to care.)
2010-05-08 23:42:40 -05:00
Jacques Distler da0c6a2ea1 Fix an SVG nonce bug
Dunno when this problem with randomized IDs arose.
But it's fixed now.

Also, sync with latest SVG-Edit.
2010-04-01 23:56:21 -05:00
Jacques Distler aa0a151ba4 Uniquify IDs in SVG-Edit
Since we can have several SVG-Edit graphics
on a page, SVG-Edit should assign unique IDs
to elements, and do so in a fashion that survives
re-editing.

To do this, we use a nonce, and record its value in
a custom se:nonce attribute on the <svg> element.
(Is there a better way?). 

Also, preserve the custom se:connector attribute for
later editing purposes.
2010-02-25 02:25:16 -06:00
Jacques Distler c4003f79b3 Support SVG-Edit Custom Attribute(s)
Add support for se:connector attribute in
Instiki's Sanitizer.
2010-02-23 23:07:09 -06:00
Jacques Distler b5a7f7ac05 Add MathML Support to SVG-edit
Doesn't actually render anything,
but doesn't strip out all the 
MAthML tags, either.
2010-02-06 01:14:42 -06:00
Jacques Distler c3ed5b461b Preliminary SVG-edit Support
WYSIWYG SVG editing.

Still no support for mixed
SVG/MathML content, yet.
2010-02-05 21:36:35 -06:00
Jacques Distler 49e89d0f85 Fix Caching
Fix the caching of pages with "." in
their names. This was busted.
2010-01-26 13:50:43 -06:00
Jacques Distler bafa7743f1 Allow Periods in Page Names
Thanks to Jeff Zellman.
2010-01-26 00:18:30 -06:00
Jacques Distler cbb3e4b74f Less Grotty
Does what Revision 535 does, but
slightly less ugly.
2010-01-25 22:01:10 -06:00
Jacques Distler 9dc59b7b7c Fix BlahTeX/PNG Path
Dunno why Ari tolerated this
up till now.
2010-01-25 17:55:31 -06:00
Jacques Distler 8ed5a88db0 Fix Zip Export and Print View
Fix http://bug.to/issues/show/335
and
http://bug.to/issues/show/334

We now bundle the uploaded files directory
(and the public/ directory for the (X)HTML
export) in the Zipball when exporting a Web.

Also, correct the Print View to produce proper links
uploaded files.
2010-01-23 18:01:02 -06:00
Jacques Distler e3aa626489 Better Display of Interweb Wikilinks
Perhaps not the most creative use of CSS. But,
at least, this will read better.
2010-01-03 13:19:47 -06:00
Jacques Distler 7c51accaab Update Windows sqlite3.dll
For whatever the heck it's worth...
2009-12-22 21:00:23 -06:00
Jacques Distler a71e64a172 Update Vendored sqlite3-ruby 2009-12-22 20:48:32 -06:00
Jacques Distler 9874650e4b Silence Some Stupid Warnings in Ruby 1.9 2009-12-18 23:53:43 -06:00
Jacques Distler fe877a10b4 Make html_ext Available as a Helper
... and protected.
2009-12-16 00:59:33 -06:00
Jacques Distler d3e79ea84a Make truncate() Unicode-aware 2009-12-14 17:41:28 -06:00
Jacques Distler a58bee7437 Another Textarea Tweak and a Ruby 1.9 Fix 2009-12-12 15:28:05 -06:00
Jacques Distler 023d84c4a4 Ack! This is better 2009-12-08 09:08:25 -06:00
Jacques Distler faac8951a3 More Ruby 1.9 String Encoding Fun 2009-12-08 08:50:01 -06:00
Jacques Distler 171c12d2c1 Efficiency
This version of String#purify
is 12% faster, under Ruby 1.9,
than before.
2009-12-05 10:50:58 -06:00
Jacques Distler 34b63a8375 Fix a Ruby 1.9 Character Encoding Bug
Wow, this stuff is complicated!
Some things really want to be UTF-8;
others really want to be byte strings.
2009-12-01 12:03:15 -06:00
Jacques Distler a6429f8c22 Ruby 1.9 Compatibility
Completely removed the html5lib sanitizer.
Fixed the string-handling to work in both
Ruby 1.8.x and 1.9.2. There are still,
inexplicably, two functional tests that
fail. But the rest seems to work quite well.
2009-11-30 16:28:18 -06:00
Jacques Distler 371aab6f96 Sync with Latest itex2MML and MathML::Entities
Support the latest changes in
http://www.w3.org/TR/2009/WD-xml-entity-names-20091117/
2009-11-18 12:04:07 -06:00
Jacques Distler c99ca26a8d Better log rotation for Passenger
Touch the tmp/restart.txt file, when
rotatingthe log files. Otherwise, multiple
workers may try to rotate the log files
at the same time, with sub-optimal results.

Also, an aesthetic tweak to the url_generator.
2009-10-28 00:03:25 -05:00
Jacques Distler f559d8a06d Intra-Web Links in S5 Slideshows on Published Webs
Never really thought through where those should go.
They now point to the published version.
2009-10-23 10:05:02 -05:00
Jacques Distler d880d81b0a Simplification
The last commit means we can
simplify the url_generator.rb a bit more.
It's still an ugly beast.
2009-10-23 00:18:23 -05:00
Jacques Distler 761f8bbb51 Links From Published Webs
Damn, but it's hard to get this right.
I think I've finally done it, though.
We'll see ...
2009-10-22 17:57:13 -05:00
Jacques Distler 97a35e280b DB Migration
% rake upgrade_instiki

fixes some potential problems in the database column types.

Revision content can now be up to 16MB.
Under MySQL, the previous limit was 64KB.

Page names can now be up to 255 bytes.
Under MySQL, the previous limit was 60 bytes.

Additional CSS styles can now be up to 64KB.
Under MySQL, the previous limit was 255 bytes.

Thanks to Andrew Stacey for reporting these.
2009-10-21 00:42:48 -05:00
Jacques Distler a483b4e71e Also fix S5 slides.js
It needs to use relative URLs, too.
2009-10-11 10:20:43 -05:00
Jacques Distler 23e9c6beb2 Use AssetTagHelpers in S5 Template
Otherwise S5  breaks when Instiki is
deployed to a non-root URL (e.g., by
setting RailsBaseURI in Passenger).

Also a stylistic tweak in lib/node.rb
2009-10-11 09:49:01 -05:00
Jacques Distler dd8c912c6c Update lib/node.rb
Grab some fixes from html_scanner, and add few of our own.
2009-10-10 03:52:33 -05:00
Jacques Distler d5e35d2861 Some more Sanitizer tweaks
Mostly stylistic things, but allow some constants to be defined by the calling program.
2009-10-10 02:44:44 -05:00
Jacques Distler d14db51d9e More Sanitizer Refactoring
Make the Sanitizer more efficient.
Also, update some unit tests.
2009-10-09 23:18:17 -05:00
Jacques Distler 9b7071d190 Update Sanitizer Docs
They were a bit out-of-sync with what the sanitizer
actually does.
2009-10-09 14:02:07 -05:00
Jacques Distler e7b77dd3d3 Sanitizer Refactoring
A bit of cleanup for the Sanitizer.
2009-10-09 13:02:02 -05:00
Jacques Distler 2f3ff9f651 Efficiency
There's a moderate efficiency gain to be had by
using Set#include?, rather than Array#include?
in the sanitizer.
2009-10-08 16:22:50 -05:00
Jacques Distler e0df6c8a6a Updated Tests and Sanitizer Fixes for Revision 439 2009-09-25 15:59:43 -05:00
Jacques Distler b438bc64f6 Update More MathML Entity Mappings
Bring up-to-date with Editor's copy of
XML Entity definitions for Characters
(W3C Working Draft 13 September 2009)
http://www.w3.org/2003/entities/2007doc/overview.html
2009-09-25 14:34:22 -05:00
Jacques Distler 31ed55f055 Update MathML Entity Mappings
Update list of XHTML+MathML named entities
to match
http://www.w3.org/TR/2008/WD-xml-entity-names-20080721/
2009-09-24 16:21:22 -05:00
Jacques Distler 7185af32fc Fix an Eyesore
That just looked sloppy. I blame copy/paste.
2009-09-09 15:01:25 -05:00
Jacques Distler 3ff68ef42f Don't Expand NCRs
That operation is not idempotent (among other defects).
Instead, just check that the NCRs corespond to valid utf-8.
(Reported by Andrew Stacey)
2009-09-09 09:16:00 -05:00
Jacques Distler 116255dc0d Purify Categories
Apply the same methodology, as in Revision 432,
to the category chunk-handler. This completes
the replacement of all the code that looks like

  if string.is_utf8?
    do something
  else
    complain
  end

with code that looks like

  string.purify
  do something
2009-09-07 20:38:09 -05:00
Jacques Distler c79fef9c01 Clean, rather than Complain
Previously, if the user tried to submit content which was
malformed utf-8, Instiki would complain loudly to him.

A slightly more user-friendly approach was suggested by
the latest Rails 2.3.4, and a conversation with Sam Ruby
(who suggested some improvements).

Now, instead of complaining, we remove the offending bytes,
leaving a well-formed utf-8 string, which we pretend is what
the user meant to submit.
2009-09-07 16:02:36 -05:00
Jacques Distler 342298ed0e Wikilinks to Published Webs
Should be to the published action. This
didn't work right for inter-web links.
(Reported by Mike Shulman)

Also, change some .length's to .size's
(for Andrew Stacey)
2009-09-03 23:09:10 -05:00