Filter image tags everywhere except in custom pages

Allowing image tags everywhere makes us vulnerable to CSRF attacks.
2018-09-07 14:13:48 +02:00
parent 5faeefab2c
commit f917f5eed9
5 changed files with 44 additions and 4 deletions
--- a/app/views/pages/custom_page.html.erb
+++ b/app/views/pages/custom_page.html.erb
@@ -8,7 +8,7 @@
      <h2><%= @custom_page.subtitle%></h2>
    <% end %>

-    <%= text_with_links @custom_page.content %>
+    <%= safe_html_with_links AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
  </div>

  <% if @custom_page.print_content_flag %>
--- a/lib/admin_wysiwyg_sanitizer.rb
+++ b/lib/admin_wysiwyg_sanitizer.rb
@@ -0,0 +1,9 @@
+class AdminWYSIWYGSanitizer < WYSIWYGSanitizer
+  def allowed_tags
+    super + %w[img]
+  end
+
+  def allowed_attributes
+    super + %w[alt src style]
+  end
+end
--- a/lib/wysiwyg_sanitizer.rb
+++ b/lib/wysiwyg_sanitizer.rb
@@ -1,10 +1,14 @@
 class WYSIWYGSanitizer
+  def allowed_tags
+    %w[p ul ol li strong em u s a h2 h3]
+  end

-  ALLOWED_TAGS = %w(p ul ol li strong em u s img a h2 h3)
-  ALLOWED_ATTRIBUTES = %w(href style src alt)
+  def allowed_attributes
+    %w[href]
+  end

  def sanitize(html)
-    ActionController::Base.helpers.sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES)
+    ActionController::Base.helpers.sanitize(html, tags: allowed_tags, attributes: allowed_attributes)
  end

 end
--- a/spec/lib/admin_wysiwyg_sanitizer_spec.rb
+++ b/spec/lib/admin_wysiwyg_sanitizer_spec.rb
@@ -0,0 +1,12 @@
+require 'rails_helper'
+
+describe AdminWYSIWYGSanitizer do
+  let(:sanitizer) { AdminWYSIWYGSanitizer.new }
+
+  describe '#sanitize' do
+    it 'allows images' do
+      html = 'Dangerous<img src="/smile.png" alt="Smile" style="width: 10px;"> image'
+      expect(sanitizer.sanitize(html)).to eq(html)
+    end
+  end
+end
--- a/spec/lib/wysiwyg_sanitizer_spec.rb
+++ b/spec/lib/wysiwyg_sanitizer_spec.rb
@@ -15,10 +15,25 @@ describe WYSIWYGSanitizer do
      expect(subject.sanitize(html)).to eq(html)
    end

+    it 'allows links' do
+      html = '<p><a href="/">Home</a></p>'
+      expect(subject.sanitize(html)).to eq(html)
+    end
+
+    it 'allows headings' do
+      html = '<h2>Objectives</h2><p>Fix flaky specs</p><h3>Explain why the test is flaky</h3>'
+      expect(subject.sanitize(html)).to eq(html)
+    end
+
    it 'filters out dangerous tags' do
      html = '<p>This is <script>alert("dangerous");</script></p>'
      expect(subject.sanitize(html)).to eq('<p>This is alert("dangerous");</p>')
    end
+
+    it 'filters images' do
+      html = 'Dangerous<img src="/smile.png" alt="Smile" style="width: 10px";> image'
+      expect(subject.sanitize(html)).to eq('Dangerous image')
+    end
  end

 end