Imports changes from Mediacloth revisions r138-139
| 159 | # Sanitizes thw raw wiki input for dangerous HTML tags | # Sanitizes thw raw wiki input for dangerous HTML tags | 159 |
|---|---|---|---|
| 160 | def sanitize(input) | def sanitize(input) | 160 |
| 161 | input.gsub(/<(\/?)([^\s>\/]+)([^>]*)>/) do | input.gsub(/<(\/?)([^\s>\/]+)([^>]*)>/) do | 161 |
| 162 | WHITELIST.include?($2) ? $& : "<#{$1}#{$2}#{$3}>" | WHITELIST.include?($2.downcase) ? $& : "<#{$1}#{$2}#{$3}>" | 162 |
| 163 | end | end | 163 |
| 164 | end | end | 164 |
| 165 | 165 |
| 165 | </form>} | </form>} | 165 |
|---|---|---|---|
| 166 | end | end | 166 |
| 167 | 167 | ||
| 168 | # TODO sanitize tags with closing spaces | def test_keeps_and_sanitizes_with_spaces_before_the_closing_bracket | 168 |
assert_sanitizes_to %{Here is some <b >bold</b> and <em>emphasized</em > | 169 | ||
text. But <script type="text/javascript" >alert('scripts')</script > | 170 | ||
get sanitized}, | 171 | ||
%{Here is some <b >bold</b> and <em>emphasized</em > | 172 | ||
text. But <script type="text/javascript" >alert('scripts')</script > | 173 | ||
get sanitized} | 174 | ||
end | 175 | ||
| 176 | |||
def test_ignores_case_for_whitelisted_tags | 177 | ||
assert_no_sanitization "<SUP>Superscript</sup> and <CODE>code</CODE>" | 178 | ||
end | 179 | ||
| 180 | |||
| 169 | # TODO removes "on" attributes even in legal tags | # TODO removes "on" attributes even in legal tags | 181 |
| 170 | 182 | ||
| 171 | private | private | 183 |