From c36132551b62e7d249948712d6dc47be614c28a5 Mon Sep 17 00:00:00 2001 From: hukl Date: Sat, 17 Oct 2009 13:56:01 +0200 Subject: added sanitize statements to hopefully all critical templates to protect against cross site scripting. added section to environment.rb listing the whitelisted tags and attributes and examples on how to extend the list --- app/helpers/content_helper.rb | 6 +++--- app/views/content/_front_page_calendar.html.erb | 2 +- app/views/custom/page_templates/public/no_date_and_author.html.erb | 2 +- app/views/custom/page_templates/public/standard_template.html.erb | 2 +- app/views/nodes/show.html.erb | 6 +++--- 5 files changed, 9 insertions(+), 9 deletions(-) (limited to 'app') diff --git a/app/helpers/content_helper.rb b/app/helpers/content_helper.rb index 2eb0c4d..9eb7d7e 100644 --- a/app/helpers/content_helper.rb +++ b/app/helpers/content_helper.rb @@ -85,13 +85,13 @@ module ContentHelper options[:partial] = select_partial( options[:partial] ) - content.sub(tag, render_collection(options)) + sanitize( content.sub(tag, render_collection(options)) ) else - content + sanitize( content ) end rescue - content + sanatize( content ) end end diff --git a/app/views/content/_front_page_calendar.html.erb b/app/views/content/_front_page_calendar.html.erb index 1a409a6..e7f46ba 100644 --- a/app/views/content/_front_page_calendar.html.erb +++ b/app/views/content/_front_page_calendar.html.erb @@ -4,7 +4,7 @@ <% occurrences.each do |occurrence| %>
  • <%= l occurrence.start_time.to_date, :format => :default %>
    - <%= link_to_path occurrence.node.head.title, occurrence.node.unique_name %> + <%= link_to_path sanitize( occurrence.node.head.title ), occurrence.node.unique_name %>
  • <% end %> diff --git a/app/views/custom/page_templates/public/no_date_and_author.html.erb b/app/views/custom/page_templates/public/no_date_and_author.html.erb index 08911ff..ef60961 100644 --- a/app/views/custom/page_templates/public/no_date_and_author.html.erb +++ b/app/views/custom/page_templates/public/no_date_and_author.html.erb @@ -1,7 +1,7 @@

    <%= @page.title %>


    -

    <%= @page.abstract %>

    +

    <%= sanitize( @page.abstract ) %>

    <%= headline_image %>
    <%= aggregate?(@page.body) %>
    diff --git a/app/views/custom/page_templates/public/standard_template.html.erb b/app/views/custom/page_templates/public/standard_template.html.erb index 9ce3e94..d4c80aa 100644 --- a/app/views/custom/page_templates/public/standard_template.html.erb +++ b/app/views/custom/page_templates/public/standard_template.html.erb @@ -2,7 +2,7 @@

    <%= @page.title %>

    <%= date_for_page @page %>, <%= @page.user.try(:login) %>


    -

    <%= @page.abstract %>

    +

    <%= sanitize( @page.abstract )%>

    <%= headline_image %>
    <%= aggregate?(@page.body) %> diff --git a/app/views/nodes/show.html.erb b/app/views/nodes/show.html.erb index 8f56c7c..99fb264 100644 --- a/app/views/nodes/show.html.erb +++ b/app/views/nodes/show.html.erb @@ -36,15 +36,15 @@ Title - <%= @page.title %> + <%= sanitize( @page.title ) %> Abstract - <%= @page.abstract %> + <%= sanitize( @page.abstract ) %> Body - <%= @page.body %> + <%= sanitize( @page.body ) %> -- cgit v1.3