Changesets can be listed by changeset number.
The Git repository is here.
Changeset 451
Tighten up filtering of Textile and HTML markup in forum posts, given
that spammers now sometimes get in and make posts. Use the mechanism
therein to fix Ticket #354, albeit at some significant speed penalty;
this occurs only when new posts are created or old posts are edited
and isn't too large compared with the wider request activity, for
typical length posts.
- Comitted by: rool
- Date: Wednesday September 04 09:21:32 2013 (over 11 years ago)
Affected files:
rool/rails/beast/trunk/config/environment.rb (diff)
-
rool/rails/beast/trunk/vendor/plugins/white_list/lib/white_list_helper.rb (diff)
-
rool/rails/beast/trunk/vendor/plugins/white_list_formatted_content/init.rb (diff)
rool/rails/beast/trunk/config/environment.rb:
| prev. | current | |
| end | ||
| end | ||
| 70 | ||
| 70 | # 2013-09-04 (ADH): A custom vendor/plugins/white_list implementation | |
| 71 | # allows for empty attributes lists, meaning "pass all". We use its | |
| 72 | # block parameter to pass a custom block too. This checks the bad_tags | |
| 73 | # list set up below and returns the HTML escaped result. Otherwise it | |
| 74 | # lets it through. That way, we turn white listing into black listing, | |
| 75 | # as in general forum users are trusted, but in the last year or so a | |
| 76 | # number of spammers have got through the Hub captcha and shown that | |
| 77 | # users aren't quite as trustworthy as they used to be. | |
| 79 | WhiteListHelper.attributes = Set.new() | |
| 80 | WhiteListHelper.tags = Set.new() # So everything is passed to the custom block as if 'bad' | |
| 81 | ||
| 82 | WhiteListHelper.bad_tags.merge(%w(object param embed frame iframe)) |
rool/rails/beast/trunk/vendor/plugins/white_list/lib/white_list_helper.rb:
| prev. | current | |
| # Change allowed attributes | ||
| # | ||
| # WhiteListHelper.attributes.merge %w(id class style) | ||
| 32 | # | |
| 33 | # 2013-09-04 (ADH): If the attributes lists is empty, any attribute is allowed, except for "bad protocol" data which is still stripped. | |
| # | ||
| # white_list accepts a block for custom tag escaping. Shown below is the default block that white_list uses if none is given. | ||
| # The block is called for all bad tags, and every text node. node is an instance of HTML::Node (either HTML::Tag or HTML::Text). | ||
| ... | ... | |
| bad = nil | ||
| if node.closing != :close | ||
| node.attributes.delete_if do |attr_name, value| | ||
| 58 | | |
| 60 | (!attrs.empty? && !attrs.include?(attr_name)) || (PROTOCOL_ATTRIBUTES.include?(attr_name) && contains_bad_protocols?(value)) | |
| end if attributes.any? | ||
| end | ||
| node | ||
| ... | ... | |
| WhiteListHelper.bad_tags = %w(script) | ||
| WhiteListHelper.tags = %w(strong em b i p code pre tt output samp kbd var sub sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr acronym a img blockquote del ins fieldset legend) | ||
| WhiteListHelper.attributes = %w(href src width height alt cite datetime title class) | ||
| 79 | ||
| 82 | WhiteListHelper.protocols = %w(ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto feed) |
rool/rails/beast/trunk/vendor/plugins/white_list_formatted_content/init.rb:
| prev. | current | |
| body.strip! if body.respond_to?(:strip!) | ||
| self.body_html = body.blank? ? '' : body_html_with_formatting | ||
| end | ||
| 20 | | |
| 20 | ||
| 21 | # 2013-09-04 (ADH): See "body_html_with_formatting" for ddetails. | |
| 22 | # | |
| 23 | FOOTNOTE_NAME_REGEXP = Regexp.new('^fnr?\d+$') # E.g. "fn30" or "fnr30" | |
| 24 | FOOTNOTE_HREF_REGEXP = Regexp.new('^#fnr?\d+$') # E.g. "#fn30" or "#fnr30" | |
| 25 | ||
| def body_html_with_formatting | ||
| 22 | | |
| 24 | | |
| 28 | # 2013-09-04 (ADH): | |
| # | ||
| 26 | | |
| 27 | | |
| 30 | # On the assumption we are called within a new Post or an edited Post, | |
| 31 | # generate a reasonably-likely-to-be-unique ID. We can't use the model | |
| 32 | # ID as in the "new" case it hasn't been saved yet so doesn't have one. | |
| # | ||
| 29 | | |
| 30 | | |
| 34 | # We'll use this to patch up Textile footnote references. There's no | |
| 35 | # way to ask Textile to add a suffix to the IDs and names it generates, | |
| 36 | # so instead postprocess the output since we're being called for all | |
| 37 | # generated HTML notes by the white list engine anyway (see | |
| 38 | # WhiteListHelper stuff in "config/environment.rb" for details). If we | |
| 39 | # don't do this, multiple posts on a page can contain the same foonote | |
| 40 | # IDs/names resulting in invalid HTML and useless HTML anchors. | |
| 41 | # | |
| 42 | # Since the ID is only used for that specific case, we're not *too* | |
| 43 | # worried if it turns out to be non-unique, but given it's based on | |
| 44 | # the time of day down to the microsecond and the post's user ID, it | |
| 45 | # is *extremely* unlikely that a real user would be able to generate | |
| 46 | # two posts with the same ID suffix for footnotes! | |
| 47 | # | |
| 48 | now = Time.now | |
| 49 | fn_id_sfx = "#{now.to_i}#{now.usec}#{self.user_id || 0}" | |
| 50 | ||
| 51 | # Generate the body by auto-linking, running through RedCloth and then | |
| 52 | # passing it to the white list engine which in turn calls back for all | |
| 53 | # of the HTML nodes. | |
| 54 | # | |
| 55 | body_html = auto_link body { |text| truncate(text, 50) } | |
| 56 | white_list(RedCloth.new(body_html).to_html) do | node, bad | | |
| 57 | if WhiteListHelper.bad_tags.include?(bad) | |
| 58 | node.to_s.gsub(/</, '<') | |
| 59 | else | |
| 60 | node.class == HTML::Tag && node.attributes && case(bad) | |
| 61 | when "sup", "p" | |
| 62 | if (node.attributes['class'] == 'footnote') | |
| 63 | match = FOOTNOTE_NAME_REGEXP.match(node.attributes['id'] || '') | |
| 64 | node.attributes['id'] << fn_id_sfx if (match) | |
| 65 | end | |
| 66 | when "a" | |
| 67 | match = FOOTNOTE_HREF_REGEXP.match(node.attributes['href'] || '') | |
| 68 | node.attributes['href'] << fn_id_sfx if (match) | |
| 69 | end | |
| 70 | ||
| 71 | node.to_s | |
| 72 | end | |
| 73 | end | |
| end | ||
| 32 | ||
| 76 | end |
