summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
committerhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
commitc36132551b62e7d249948712d6dc47be614c28a5 (patch)
tree03d259bc98c11defc0ab36e961f1d95d335833e4
parentb7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff)
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
-rw-r--r--app/helpers/content_helper.rb6
-rw-r--r--app/views/content/_front_page_calendar.html.erb2
-rw-r--r--app/views/custom/page_templates/public/no_date_and_author.html.erb2
-rw-r--r--app/views/custom/page_templates/public/standard_template.html.erb2
-rw-r--r--app/views/nodes/show.html.erb6
-rw-r--r--config/environment.rb16
6 files changed, 22 insertions, 12 deletions
diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb
index 2eb0c4d..9eb7d7e 100644
--- a/app/helpers/content_helper.rb
+++ b/app/helpers/content_helper.rb
@@ -85,13 +85,13 @@ module ContentHelper
85 85
86 options[:partial] = select_partial( options[:partial] ) 86 options[:partial] = select_partial( options[:partial] )
87 87
88 content.sub(tag, render_collection(options)) 88 sanitize( content.sub(tag, render_collection(options)) )
89 else 89 else
90 content 90 sanitize( content )
91 end 91 end
92 92
93 rescue 93 rescue
94 content 94 sanatize( content )
95 end 95 end
96 end 96 end
97 97
diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb
index 1a409a6..e7f46ba 100644
--- a/app/views/content/_front_page_calendar.html.erb
+++ b/app/views/content/_front_page_calendar.html.erb
@@ -4,7 +4,7 @@
4 <% occurrences.each do |occurrence| %> 4 <% occurrences.each do |occurrence| %>
5 <li> 5 <li>
6 <div><%= l occurrence.start_time.to_date, :format => :default %></div> 6 <div><%= l occurrence.start_time.to_date, :format => :default %></div>
7 <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> 7 <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %>
8 </li> 8 </li>
9 <% end %> 9 <% end %>
10 </ul> 10 </ul>
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb
index 08911ff..ef60961 100644
--- a/app/views/custom/page_templates/public/no_date_and_author.html.erb
+++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb
@@ -1,7 +1,7 @@
1<div class="article"> 1<div class="article">
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <hr class="subtitle" /> 3 <hr class="subtitle" />
4 <p><em><%= @page.abstract %></em></p> 4 <p><em><%= sanitize( @page.abstract ) %></em></p>
5 <div id="headline_image"><%= headline_image %></div> 5 <div id="headline_image"><%= headline_image %></div>
6 <%= aggregate?(@page.body) %> 6 <%= aggregate?(@page.body) %>
7</div> 7</div>
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb
index 9ce3e94..d4c80aa 100644
--- a/app/views/custom/page_templates/public/standard_template.html.erb
+++ b/app/views/custom/page_templates/public/standard_template.html.erb
@@ -2,7 +2,7 @@
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> 3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3>
4 <hr class="subtitle" /> 4 <hr class="subtitle" />
5 <p><em><%= @page.abstract %></em></p> 5 <p><em><%= sanitize( @page.abstract )%></em></p>
6 <div id="headline_image"><%= headline_image %></div> 6 <div id="headline_image"><%= headline_image %></div>
7 <%= aggregate?(@page.body) %> 7 <%= aggregate?(@page.body) %>
8</div> 8</div>
diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb
index 8f56c7c..99fb264 100644
--- a/app/views/nodes/show.html.erb
+++ b/app/views/nodes/show.html.erb
@@ -36,15 +36,15 @@
36 </tr> 36 </tr>
37 <tr> 37 <tr>
38 <td class="description"><strong>Title</strong></td> 38 <td class="description"><strong>Title</strong></td>
39 <td><%= @page.title %></td> 39 <td><%= sanitize( @page.title ) %></td>
40 </tr> 40 </tr>
41 <tr> 41 <tr>
42 <td class="description"><strong>Abstract</strong></td> 42 <td class="description"><strong>Abstract</strong></td>
43 <td><%= @page.abstract %></td> 43 <td><%= sanitize( @page.abstract ) %></td>
44 </tr> 44 </tr>
45 <tr> 45 <tr>
46 <td class="description"><strong>Body</strong></td> 46 <td class="description"><strong>Body</strong></td>
47 <td><%= @page.body %></td> 47 <td><%= sanitize( @page.body ) %></td>
48 </tr> 48 </tr>
49 <tr> 49 <tr>
50 <td></td> 50 <td></td>
diff --git a/config/environment.rb b/config/environment.rb
index bff2a70..18415aa 100644
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -30,9 +30,19 @@ Rails::Initializer.run do |config|
30 # :all can be used as a placeholder for all plugins not explicitly named 30 # :all can be used as a placeholder for all plugins not explicitly named
31 # config.plugins = [ :exception_notification, :ssl_requirement, :all ] 31 # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
32 32
33 # Skip frameworks you're not going to use. To use Rails without a database, 33 # Allowed Tags
34 # you must remove the Active Record framework. 34 # strong em b i p code pre tt samp kbd var sub sup dfn cite big small
35 # config.frameworks -= [ :active_record, :active_resource, :action_mailer ] 35 # address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr
36 # acronym a img blockquote del ins
37
38 # Allowed Attributes:
39 # href src width height alt cite datetime title class name xml:lang abbr))
40
41 # Add tags to whitelist with:
42 # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
43
44 # Add attributes to whitelist with:
45 # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
36 46
37 # Activate observers that should always be running 47 # Activate observers that should always be running
38 # config.active_record.observers = :cacher, :garbage_collector, :forum_observer 48 # config.active_record.observers = :cacher, :garbage_collector, :forum_observer