diff options
| author | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
|---|---|---|
| committer | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
| commit | c36132551b62e7d249948712d6dc47be614c28a5 (patch) | |
| tree | 03d259bc98c11defc0ab36e961f1d95d335833e4 | |
| parent | b7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff) | |
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
| -rw-r--r-- | app/helpers/content_helper.rb | 6 | ||||
| -rw-r--r-- | app/views/content/_front_page_calendar.html.erb | 2 | ||||
| -rw-r--r-- | app/views/custom/page_templates/public/no_date_and_author.html.erb | 2 | ||||
| -rw-r--r-- | app/views/custom/page_templates/public/standard_template.html.erb | 2 | ||||
| -rw-r--r-- | app/views/nodes/show.html.erb | 6 | ||||
| -rw-r--r-- | config/environment.rb | 16 |
6 files changed, 22 insertions, 12 deletions
diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb index 2eb0c4d..9eb7d7e 100644 --- a/app/helpers/content_helper.rb +++ b/app/helpers/content_helper.rb | |||
| @@ -85,13 +85,13 @@ module ContentHelper | |||
| 85 | 85 | ||
| 86 | options[:partial] = select_partial( options[:partial] ) | 86 | options[:partial] = select_partial( options[:partial] ) |
| 87 | 87 | ||
| 88 | content.sub(tag, render_collection(options)) | 88 | sanitize( content.sub(tag, render_collection(options)) ) |
| 89 | else | 89 | else |
| 90 | content | 90 | sanitize( content ) |
| 91 | end | 91 | end |
| 92 | 92 | ||
| 93 | rescue | 93 | rescue |
| 94 | content | 94 | sanatize( content ) |
| 95 | end | 95 | end |
| 96 | end | 96 | end |
| 97 | 97 | ||
diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb index 1a409a6..e7f46ba 100644 --- a/app/views/content/_front_page_calendar.html.erb +++ b/app/views/content/_front_page_calendar.html.erb | |||
| @@ -4,7 +4,7 @@ | |||
| 4 | <% occurrences.each do |occurrence| %> | 4 | <% occurrences.each do |occurrence| %> |
| 5 | <li> | 5 | <li> |
| 6 | <div><%= l occurrence.start_time.to_date, :format => :default %></div> | 6 | <div><%= l occurrence.start_time.to_date, :format => :default %></div> |
| 7 | <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> | 7 | <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %> |
| 8 | </li> | 8 | </li> |
| 9 | <% end %> | 9 | <% end %> |
| 10 | </ul> | 10 | </ul> |
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb index 08911ff..ef60961 100644 --- a/app/views/custom/page_templates/public/no_date_and_author.html.erb +++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | <div class="article"> | 1 | <div class="article"> |
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <hr class="subtitle" /> | 3 | <hr class="subtitle" /> |
| 4 | <p><em><%= @page.abstract %></em></p> | 4 | <p><em><%= sanitize( @page.abstract ) %></em></p> |
| 5 | <div id="headline_image"><%= headline_image %></div> | 5 | <div id="headline_image"><%= headline_image %></div> |
| 6 | <%= aggregate?(@page.body) %> | 6 | <%= aggregate?(@page.body) %> |
| 7 | </div> | 7 | </div> |
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb index 9ce3e94..d4c80aa 100644 --- a/app/views/custom/page_templates/public/standard_template.html.erb +++ b/app/views/custom/page_templates/public/standard_template.html.erb | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> | 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> |
| 4 | <hr class="subtitle" /> | 4 | <hr class="subtitle" /> |
| 5 | <p><em><%= @page.abstract %></em></p> | 5 | <p><em><%= sanitize( @page.abstract )%></em></p> |
| 6 | <div id="headline_image"><%= headline_image %></div> | 6 | <div id="headline_image"><%= headline_image %></div> |
| 7 | <%= aggregate?(@page.body) %> | 7 | <%= aggregate?(@page.body) %> |
| 8 | </div> | 8 | </div> |
diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb index 8f56c7c..99fb264 100644 --- a/app/views/nodes/show.html.erb +++ b/app/views/nodes/show.html.erb | |||
| @@ -36,15 +36,15 @@ | |||
| 36 | </tr> | 36 | </tr> |
| 37 | <tr> | 37 | <tr> |
| 38 | <td class="description"><strong>Title</strong></td> | 38 | <td class="description"><strong>Title</strong></td> |
| 39 | <td><%= @page.title %></td> | 39 | <td><%= sanitize( @page.title ) %></td> |
| 40 | </tr> | 40 | </tr> |
| 41 | <tr> | 41 | <tr> |
| 42 | <td class="description"><strong>Abstract</strong></td> | 42 | <td class="description"><strong>Abstract</strong></td> |
| 43 | <td><%= @page.abstract %></td> | 43 | <td><%= sanitize( @page.abstract ) %></td> |
| 44 | </tr> | 44 | </tr> |
| 45 | <tr> | 45 | <tr> |
| 46 | <td class="description"><strong>Body</strong></td> | 46 | <td class="description"><strong>Body</strong></td> |
| 47 | <td><%= @page.body %></td> | 47 | <td><%= sanitize( @page.body ) %></td> |
| 48 | </tr> | 48 | </tr> |
| 49 | <tr> | 49 | <tr> |
| 50 | <td></td> | 50 | <td></td> |
diff --git a/config/environment.rb b/config/environment.rb index bff2a70..18415aa 100644 --- a/config/environment.rb +++ b/config/environment.rb | |||
| @@ -30,9 +30,19 @@ Rails::Initializer.run do |config| | |||
| 30 | # :all can be used as a placeholder for all plugins not explicitly named | 30 | # :all can be used as a placeholder for all plugins not explicitly named |
| 31 | # config.plugins = [ :exception_notification, :ssl_requirement, :all ] | 31 | # config.plugins = [ :exception_notification, :ssl_requirement, :all ] |
| 32 | 32 | ||
| 33 | # Skip frameworks you're not going to use. To use Rails without a database, | 33 | # Allowed Tags |
| 34 | # you must remove the Active Record framework. | 34 | # strong em b i p code pre tt samp kbd var sub sup dfn cite big small |
| 35 | # config.frameworks -= [ :active_record, :active_resource, :action_mailer ] | 35 | # address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr |
| 36 | # acronym a img blockquote del ins | ||
| 37 | |||
| 38 | # Allowed Attributes: | ||
| 39 | # href src width height alt cite datetime title class name xml:lang abbr)) | ||
| 40 | |||
| 41 | # Add tags to whitelist with: | ||
| 42 | # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' | ||
| 43 | |||
| 44 | # Add attributes to whitelist with: | ||
| 45 | # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' | ||
| 36 | 46 | ||
| 37 | # Activate observers that should always be running | 47 | # Activate observers that should always be running |
| 38 | # config.active_record.observers = :cacher, :garbage_collector, :forum_observer | 48 | # config.active_record.observers = :cacher, :garbage_collector, :forum_observer |
