consul/nairobi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Filter image tags everywhere except in custom pages

Browse Source 
Allowing image tags everywhere makes us vulnerable to CSRF attacks.
This commit is contained in:
Javi Martín
2018-09-07 14:13:48 +02:00
parent 5faeefab2c
commit f917f5eed9
5 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/views/pages/custom_page.html.erb
View File

@@ -8,7 +8,7 @@
<h2><%= @custom_page.subtitle%></h2> <h2><%= @custom_page.subtitle%></h2>
<% end %> <% end %>
<%= text_with_links @custom_page.content %> <%= safe_html_with_links AdminWYSIWYGSanitizer.new.sanitize(@custom_page.content) %>
</div> </div>
<% if @custom_page.print_content_flag %> <% if @custom_page.print_content_flag %>

9
lib/admin_wysiwyg_sanitizer.rb Normal file
View File

@@ -0,0 +1,9 @@
class AdminWYSIWYGSanitizer < WYSIWYGSanitizer
def allowed_tags
super + %w[img]
end
def allowed_attributes
super + %w[alt src style]
end
end

10
lib/wysiwyg_sanitizer.rb
View File

@@ -1,10 +1,14 @@
class WYSIWYGSanitizer class WYSIWYGSanitizer
def allowed_tags
%w[p ul ol li strong em u s a h2 h3]
end
ALLOWED_TAGS = %w(p ul ol li strong em u s img a h2 h3) def allowed_attributes
ALLOWED_ATTRIBUTES = %w(href style src alt) %w[href]
end
def sanitize(html) def sanitize(html)
ActionController::Base.helpers.sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES) ActionController::Base.helpers.sanitize(html, tags: allowed_tags, attributes: allowed_attributes)
end end
end end

12
spec/lib/admin_wysiwyg_sanitizer_spec.rb Normal file
View File

@@ -0,0 +1,12 @@
require 'rails_helper'
describe AdminWYSIWYGSanitizer do
let(:sanitizer) { AdminWYSIWYGSanitizer.new }
describe '#sanitize' do
it 'allows images' do
html = 'Dangerous<img src="/smile.png" alt="Smile" style="width: 10px;"> image'
expect(sanitizer.sanitize(html)).to eq(html)
end
end
end

15
spec/lib/wysiwyg_sanitizer_spec.rb
View File

@@ -15,10 +15,25 @@ describe WYSIWYGSanitizer do
expect(subject.sanitize(html)).to eq(html) expect(subject.sanitize(html)).to eq(html)
end end
it 'allows links' do
html = '<p><a href="/">Home</a></p>'
expect(subject.sanitize(html)).to eq(html)
end
it 'allows headings' do
html = '<h2>Objectives</h2><p>Fix flaky specs</p><h3>Explain why the test is flaky</h3>'
expect(subject.sanitize(html)).to eq(html)
end
it 'filters out dangerous tags' do it 'filters out dangerous tags' do
html = '<p>This is <script>alert("dangerous");</script></p>' html = '<p>This is <script>alert("dangerous");</script></p>'
expect(subject.sanitize(html)).to eq('<p>This is alert("dangerous");</p>') expect(subject.sanitize(html)).to eq('<p>This is alert("dangerous");</p>')
end end
it 'filters images' do
html = 'Dangerous<img src="/smile.png" alt="Smile" style="width: 10px";> image'
expect(subject.sanitize(html)).to eq('Dangerous image')
end
end end
end end