diff options
| author | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
|---|---|---|
| committer | hukl <contact@smyck.org> | 2009-10-17 13:56:01 +0200 |
| commit | c36132551b62e7d249948712d6dc47be614c28a5 (patch) | |
| tree | 03d259bc98c11defc0ab36e961f1d95d335833e4 /app | |
| parent | b7c233271b072ba408bfa9e9e8cc6fde7726c558 (diff) | |
added sanitize statements to hopefully all critical templates to protect against cross site scripting.
added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list
Diffstat (limited to 'app')
| -rw-r--r-- | app/helpers/content_helper.rb | 6 | ||||
| -rw-r--r-- | app/views/content/_front_page_calendar.html.erb | 2 | ||||
| -rw-r--r-- | app/views/custom/page_templates/public/no_date_and_author.html.erb | 2 | ||||
| -rw-r--r-- | app/views/custom/page_templates/public/standard_template.html.erb | 2 | ||||
| -rw-r--r-- | app/views/nodes/show.html.erb | 6 |
5 files changed, 9 insertions, 9 deletions
diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb index 2eb0c4d..9eb7d7e 100644 --- a/app/helpers/content_helper.rb +++ b/app/helpers/content_helper.rb | |||
| @@ -85,13 +85,13 @@ module ContentHelper | |||
| 85 | 85 | ||
| 86 | options[:partial] = select_partial( options[:partial] ) | 86 | options[:partial] = select_partial( options[:partial] ) |
| 87 | 87 | ||
| 88 | content.sub(tag, render_collection(options)) | 88 | sanitize( content.sub(tag, render_collection(options)) ) |
| 89 | else | 89 | else |
| 90 | content | 90 | sanitize( content ) |
| 91 | end | 91 | end |
| 92 | 92 | ||
| 93 | rescue | 93 | rescue |
| 94 | content | 94 | sanatize( content ) |
| 95 | end | 95 | end |
| 96 | end | 96 | end |
| 97 | 97 | ||
diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb index 1a409a6..e7f46ba 100644 --- a/app/views/content/_front_page_calendar.html.erb +++ b/app/views/content/_front_page_calendar.html.erb | |||
| @@ -4,7 +4,7 @@ | |||
| 4 | <% occurrences.each do |occurrence| %> | 4 | <% occurrences.each do |occurrence| %> |
| 5 | <li> | 5 | <li> |
| 6 | <div><%= l occurrence.start_time.to_date, :format => :default %></div> | 6 | <div><%= l occurrence.start_time.to_date, :format => :default %></div> |
| 7 | <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> | 7 | <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %> |
| 8 | </li> | 8 | </li> |
| 9 | <% end %> | 9 | <% end %> |
| 10 | </ul> | 10 | </ul> |
diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb index 08911ff..ef60961 100644 --- a/app/views/custom/page_templates/public/no_date_and_author.html.erb +++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb | |||
| @@ -1,7 +1,7 @@ | |||
| 1 | <div class="article"> | 1 | <div class="article"> |
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <hr class="subtitle" /> | 3 | <hr class="subtitle" /> |
| 4 | <p><em><%= @page.abstract %></em></p> | 4 | <p><em><%= sanitize( @page.abstract ) %></em></p> |
| 5 | <div id="headline_image"><%= headline_image %></div> | 5 | <div id="headline_image"><%= headline_image %></div> |
| 6 | <%= aggregate?(@page.body) %> | 6 | <%= aggregate?(@page.body) %> |
| 7 | </div> | 7 | </div> |
diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb index 9ce3e94..d4c80aa 100644 --- a/app/views/custom/page_templates/public/standard_template.html.erb +++ b/app/views/custom/page_templates/public/standard_template.html.erb | |||
| @@ -2,7 +2,7 @@ | |||
| 2 | <h2><%= @page.title %></h2> | 2 | <h2><%= @page.title %></h2> |
| 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> | 3 | <h3><%= date_for_page @page %>, <%= @page.user.try(:login) %></h3> |
| 4 | <hr class="subtitle" /> | 4 | <hr class="subtitle" /> |
| 5 | <p><em><%= @page.abstract %></em></p> | 5 | <p><em><%= sanitize( @page.abstract )%></em></p> |
| 6 | <div id="headline_image"><%= headline_image %></div> | 6 | <div id="headline_image"><%= headline_image %></div> |
| 7 | <%= aggregate?(@page.body) %> | 7 | <%= aggregate?(@page.body) %> |
| 8 | </div> | 8 | </div> |
diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb index 8f56c7c..99fb264 100644 --- a/app/views/nodes/show.html.erb +++ b/app/views/nodes/show.html.erb | |||
| @@ -36,15 +36,15 @@ | |||
| 36 | </tr> | 36 | </tr> |
| 37 | <tr> | 37 | <tr> |
| 38 | <td class="description"><strong>Title</strong></td> | 38 | <td class="description"><strong>Title</strong></td> |
| 39 | <td><%= @page.title %></td> | 39 | <td><%= sanitize( @page.title ) %></td> |
| 40 | </tr> | 40 | </tr> |
| 41 | <tr> | 41 | <tr> |
| 42 | <td class="description"><strong>Abstract</strong></td> | 42 | <td class="description"><strong>Abstract</strong></td> |
| 43 | <td><%= @page.abstract %></td> | 43 | <td><%= sanitize( @page.abstract ) %></td> |
| 44 | </tr> | 44 | </tr> |
| 45 | <tr> | 45 | <tr> |
| 46 | <td class="description"><strong>Body</strong></td> | 46 | <td class="description"><strong>Body</strong></td> |
| 47 | <td><%= @page.body %></td> | 47 | <td><%= sanitize( @page.body ) %></td> |
| 48 | </tr> | 48 | </tr> |
| 49 | <tr> | 49 | <tr> |
| 50 | <td></td> | 50 | <td></td> |
