Disable textile inline styles to prevent XSS attacks (#2377).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2192 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
a140c9bd74
commit
35f5e36838
|
@ -470,8 +470,7 @@ class RedCloth3 < String
|
|||
style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN
|
||||
end
|
||||
|
||||
style << "#{ htmlesc $1 };" if not filter_styles and
|
||||
text.sub!( /\{([^}]*)\}/, '' )
|
||||
style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles
|
||||
|
||||
lang = $1 if
|
||||
text.sub!( /\[([^)]+?)\]/, '' )
|
||||
|
|
|
@ -30,6 +30,7 @@ module Redmine
|
|||
super
|
||||
self.hard_breaks=true
|
||||
self.no_span_caps=true
|
||||
self.filter_styles=true
|
||||
end
|
||||
|
||||
def to_html(*rules, &block)
|
||||
|
|
|
@ -69,7 +69,8 @@ class ApplicationHelperTest < HelperTestCase
|
|||
'!http://foo.bar/image.jpg!' => '<img src="http://foo.bar/image.jpg" alt="" />',
|
||||
'floating !>http://foo.bar/image.jpg!' => 'floating <div style="float:right"><img src="http://foo.bar/image.jpg" alt="" /></div>',
|
||||
'with class !(some-class)http://foo.bar/image.jpg!' => 'with class <img src="http://foo.bar/image.jpg" class="some-class" alt="" />',
|
||||
'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" style="width:100px;height100px;" alt="" />',
|
||||
# inline styles should be stripped
|
||||
'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" alt="" />',
|
||||
'with title !http://foo.bar/image.jpg(This is a title)!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a title" alt="This is a title" />',
|
||||
'with title !http://foo.bar/image.jpg(This is a double-quoted "title")!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a double-quoted "title"" alt="This is a double-quoted "title"" />',
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue