summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
committerhukl <contact@smyck.org>2009-10-17 13:56:01 +0200
commitc36132551b62e7d249948712d6dc47be614c28a5 (patch)
tree03d259bc98c11defc0ab36e961f1d95d335833e4 /app
parentb7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff)
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
Diffstat (limited to 'app')
-rw-r--r--app/helpers/content_helper.rb6
-rw-r--r--app/views/content/_front_page_calendar.html.erb2
-rw-r--r--app/views/custom/page_templates/public/no_date_and_author.html.erb2
-rw-r--r--app/views/custom/page_templates/public/standard_template.html.erb2
-rw-r--r--app/views/nodes/show.html.erb6
5 files changed, 9 insertions, 9 deletions
diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb
index 2eb0c4d..9eb7d7e 100644
--- a/app/helpers/content_helper.rb
+++ b/app/helpers/content_helper.rb
@@ -85,13 +85,13 @@ module ContentHelper
85 85
86 options[:partial] = select_partial( options[:partial] ) 86 options[:partial] = select_partial( options[:partial] )
87 87
88 content.sub(tag, render_collection(options)) 88 sanitize( content.sub(tag, render_collection(options)) )
89 else 89 else
90 content 90 sanitize( content )
91 end 91 end
92 92
93 rescue 93 rescue
94 content 94 sanatize( content )
95 end 95 end
96 end 96 end
97 97
diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb
index 1a409a6..e7f46ba 100644
--- a/app/views/content/_front_page_calendar.html.erb
+++ b/app/views/content/_front_page_calendar.html.erb
@@ -4,7 +4,7 @@
4 <% occurrences.each do |occurrence| %> 4 <% occurrences.each do |occurrence| %>
5 <li> 5 <li>
6 <div><%= l occurrence.start_time.to_date, :format => :default %></div> 6 <div><%= l occurrence.start_time.to_date, :format => :default %></div>
7 <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> 7 <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %>
8 </li> 8 </li>
9 <% end %> 9 <% end %>
10 </ul> 10 </ul>
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb
index 08911ff..ef60961 100644
--- a/app/views/custom/page_templates/public/no_date_and_author.html.erb
+++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb
@@ -1,7 +1,7 @@
1<div class="article"> 1<div class="article">
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <hr class="subtitle" /> 3 <hr class="subtitle" />
4 <p><em><%= @page.abstract %></em></p> 4 <p><em><%= sanitize( @page.abstract ) %></em></p>
5 <div id="headline_image"><%= headline_image %></div> 5 <div id="headline_image"><%= headline_image %></div>
6 <%= aggregate?(@page.body) %> 6 <%= aggregate?(@page.body) %>
7</div> 7</div>
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb
index 9ce3e94..d4c80aa 100644
--- a/app/views/custom/page_templates/public/standard_template.html.erb
+++ b/app/views/custom/page_templates/public/standard_template.html.erb
@@ -2,7 +2,7 @@
2 <h2><%= @page.title %></h2> 2 <h2><%= @page.title %></h2>
3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> 3 <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3>
4 <hr class="subtitle" /> 4 <hr class="subtitle" />
5 <p><em><%= @page.abstract %></em></p> 5 <p><em><%= sanitize( @page.abstract )%></em></p>
6 <div id="headline_image"><%= headline_image %></div> 6 <div id="headline_image"><%= headline_image %></div>
7 <%= aggregate?(@page.body) %> 7 <%= aggregate?(@page.body) %>
8</div> 8</div>
diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb
index 8f56c7c..99fb264 100644
--- a/app/views/nodes/show.html.erb
+++ b/app/views/nodes/show.html.erb
@@ -36,15 +36,15 @@
36 </tr> 36 </tr>
37 <tr> 37 <tr>
38 <td class="description"><strong>Title</strong></td> 38 <td class="description"><strong>Title</strong></td>
39 <td><%= @page.title %></td> 39 <td><%= sanitize( @page.title ) %></td>
40 </tr> 40 </tr>
41 <tr> 41 <tr>
42 <td class="description"><strong>Abstract</strong></td> 42 <td class="description"><strong>Abstract</strong></td>
43 <td><%= @page.abstract %></td> 43 <td><%= sanitize( @page.abstract ) %></td>
44 </tr> 44 </tr>
45 <tr> 45 <tr>
46 <td class="description"><strong>Body</strong></td> 46 <td class="description"><strong>Body</strong></td>
47 <td><%= @page.body %></td> 47 <td><%= sanitize( @page.body ) %></td>
48 </tr> 48 </tr>
49 <tr> 49 <tr>
50 <td></td> 50 <td></td>