From c36132551b62e7d249948712d6dc47be614c28a5 Mon Sep 17 00:00:00 2001 From: hukl Date: Sat, 17 Oct 2009 13:56:01 +0200 Subject: added sanitize statements to hopefully all critical templates to protect against cross site scripting. added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list --- app/helpers/content_helper.rb | 6 +++--- app/views/content/_front_page_calendar.html.erb | 2 +- .../page_templates/public/no_date_and_author.html.erb | 2 +- .../page_templates/public/standard_template.html.erb | 2 +- app/views/nodes/show.html.erb | 6 +++--- config/environment.rb | 16 +++++++++++++--- 6 files changed, 22 insertions(+), 12 deletions(-) diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb index 2eb0c4d..9eb7d7e 100644 --- a/app/helpers/content_helper.rb +++ b/app/helpers/content_helper.rb @@ -85,13 +85,13 @@ module ContentHelper options[:partial] = select_partial( options[:partial] ) - content.sub(tag, render_collection(options)) + sanitize( content.sub(tag, render_collection(options)) ) else - content + sanitize( content ) end rescue - content + sanatize( content ) end end diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb index 1a409a6..e7f46ba 100644 --- a/app/views/content/_front_page_calendar.html.erb +++ b/app/views/content/_front_page_calendar.html.erb @@ -4,7 +4,7 @@ <% occurrences.each do |occurrence| %>
  • <%= l occurrence.start_time.to_date, :format => :default %>
    - <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> + <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %>
  • <% end %> diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb index 08911ff..ef60961 100644 --- a/app/views/custom/page_templates/public/no_date_and_author.html.erb +++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb @@ -1,7 +1,7 @@

    <%= @page.title %>


    -

    <%= @page.abstract %>

    +

    <%= sanitize( @page.abstract ) %>

    <%= headline_image %>
    <%= aggregate?(@page.body) %>
    diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb index 9ce3e94..d4c80aa 100644 --- a/app/views/custom/page_templates/public/standard_template.html.erb +++ b/app/views/custom/page_templates/public/standard_template.html.erb @@ -2,7 +2,7 @@

    <%= @page.title %>

    <%= date_for_page @page %>, <%= @page.user.try(:login) %>


    -

    <%= @page.abstract %>

    +

    <%= sanitize( @page.abstract )%>

    <%= headline_image %>
    <%= aggregate?(@page.body) %> diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb index 8f56c7c..99fb264 100644 --- a/app/views/nodes/show.html.erb +++ b/app/views/nodes/show.html.erb @@ -36,15 +36,15 @@ Title - <%= @page.title %> + <%= sanitize( @page.title ) %> Abstract - <%= @page.abstract %> + <%= sanitize( @page.abstract ) %> Body - <%= @page.body %> + <%= sanitize( @page.body ) %> diff --git a/config/environment.rb b/config/environment.rb index bff2a70..18415aa 100644 --- a/config/environment.rb +++ b/config/environment.rb @@ -30,9 +30,19 @@ Rails::Initializer.run do |config| # :all can be used as a placeholder for all plugins not explicitly named # config.plugins = [ :exception_notification, :ssl_requirement, :all ] - # Skip frameworks you're not going to use. To use Rails without a database, - # you must remove the Active Record framework. - # config.frameworks -= [ :active_record, :active_resource, :action_mailer ] + # Allowed Tags + # strong em b i p code pre tt samp kbd var sub sup dfn cite big small + # address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr + # acronym a img blockquote del ins + + # Allowed Attributes: + # href src width height alt cite datetime title class name xml:lang abbr)) + + # Add tags to whitelist with: + # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' + + # Add attributes to whitelist with: + # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' # Activate observers that should always be running # config.active_record.observers = :cacher, :garbage_collector, :forum_observer -- cgit v1.3