chinwag/chinwagsocial
chinwag/chinwagsocial
2
0
Fork 0
Code Issues Pull requests Releases 14 Wiki Activity

[!] Sanitize incoming classlist properly (#6162)

Browse source 
* Sanitize classlist properly

* Actually properly sanitize every class after the first

* Improve Formatter spec to check for multiple classes and non-space whitespace
This commit is contained in:
puckipedia 2018-01-03 03:54:08 +01:00 committed by Eugen Rochko
commit 545095b3ce
2 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

8
app/lib/sanitize_config.rb
View file

@ -6,14 +6,14 @@ class Sanitize
CLASS_WHITELIST_TRANSFORMER = lambda do |env|
node = env[:node]
class_list = node['class']&.split(' ')
class_list = node['class']&.split(/[\t\n\f\r ]/)
return unless class_list
class_list.keep_if do |e|
return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
return true if e =~ /^(mention|hashtag)$/ # semantic classes
return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
next true if e =~ /^(mention|hashtag)$/ # semantic classes
next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
end
node['class'] = class_list.join(' ')

2
spec/lib/formatter_spec.rb
View file

@ -332,7 +332,7 @@ RSpec.describe Formatter do
end
context 'contains malicious classes' do
let(:text) { '<span class="status__content__spoiler-link">Show more</span>' }
let(:text) { '<span class="mention status__content__spoiler-link">Show more</span>' }
it 'strips malicious classes' do
is_expected.to_not include 'status__content__spoiler-link'