Revision details - Imports Mediacloth's revision r141 (Motiro)

Changes to mediawikilexer.rb

   # Sanitizes thw raw wiki input for dangerous HTML tags
   def sanitize(input)
     input.gsub(/<(\/?)([^\s>\/]+)([^>]*)>/) do
-      WHITELIST.include?($2.downcase) ? $& : "&lt;#{$1}#{$2}#{$3}&gt;"
+      atts = clean_attributes($3)
+      WHITELIST.include?($2.downcase) ? "<#{$1}#{$2}#{atts}>" :
+                                        "&lt;#{$1}#{$2}#{$3}&gt;"
     end
   end
+  def clean_attributes(input)
+    input.gsub(/on[^=]*=(['|"])[^\1]*\1/, '')
+  end
   def tokenize(input)
     @text = sanitize(input)

378	[:TEXT, "iii"], [:VARIABLE_END, "}}"], [:TEXT, "xxx"], [:VARIABLE_END, "}}"],	[:TEXT, "iii"], [:VARIABLE_END, "}}"], [:TEXT, "xxx"], [:VARIABLE_END, "}}"],	378
379	[:PARA_END, ""], [false, false]],	[:PARA_END, ""], [false, false]],	379
380	lex("{{xxx{{iii}}xxx}}"))	lex("{{xxx{{iii}}xxx}}"))	380
381	assert_equal([[:PARA_START, ""], [:TAG_START, "foo"], [:ATTR_NAME, "bar"], [:ATTR_VALUE, "{{ref}}"], [:TAG_END, ""],	assert_equal([[:PARA_START, ""], [:TAG_START, "span"], [:ATTR_NAME, "style"], [:ATTR_VALUE, "{{ref}}"], [:TAG_END, ""],	381
382	[:PARA_END, ""], [false, false]],	[:PARA_END, ""], [false, false]],	382
383	lex("<foo bar='{{ref}}'>"))	lex("<span style='{{ref}}'>"))	383
384	end	end	384
385			385
386	def test_xhtml_markup	def test_xhtml_markup	386

178	assert_no_sanitization "<SUP>Superscript</sup> and <CODE>code</CODE>"	assert_no_sanitization "<SUP>Superscript</sup> and <CODE>code</CODE>"	178
179	end	end	179
180			180
181	# TODO removes "on" attributes even in legal tags	def test_removes_on_attributes_even_from_legal_tags	181
		assert_sanitizes_to %{Here is some <b >bold</b> text},	182
		%{Here is some <b onMouseOver="alert('Cuidado!')">bold</b> text}	183
		end	184
182			185
183	private	private	186
184			187

User	Password	Confirmation	New user?