Patch #16087 » redmine-markdown-loofah.diff
Gemfile | ||
---|---|---|
32 | 32 |
group :markdown do |
33 | 33 |
# TODO: upgrade to redcarpet 3.x when ruby1.8 support is dropped |
34 | 34 |
gem "redcarpet", "~> 2.3.0" |
35 |
gem "loofah", "~> 1.2.0" |
|
35 | 36 |
end |
36 | 37 |
end |
37 | 38 |
lib/redmine/wiki_formatting/markdown/formatter.rb | ||
---|---|---|
16 | 16 |
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
17 | 17 | |
18 | 18 |
require 'cgi' |
19 |
require 'loofah' |
|
19 | 20 | |
20 | 21 |
module Redmine |
21 | 22 |
module WikiFormatting |
... | ... | |
57 | 58 |
html.gsub!(/(\w):"(.+?)"/) do |
58 | 59 |
"#{$1}:\"#{$2}\"" |
59 | 60 |
end |
60 |
html |
|
61 |
# return scrubbed HTML |
|
62 |
Loofah.fragment(html).scrub!(:strip).to_s |
|
61 | 63 |
end |
62 | 64 | |
63 | 65 |
def get_section(index) |
... | ... | |
119 | 121 |
def formatter |
120 | 122 |
@@formatter ||= Redcarpet::Markdown.new( |
121 | 123 |
Redmine::WikiFormatting::Markdown::HTML.new( |
122 |
:filter_html => true, |
|
123 | 124 |
:hard_wrap => true |
124 | 125 |
), |
125 | 126 |
:autolink => true, |
test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb | ||
---|---|---|
60 | 60 |
assert_equal '<p>This is a <a href="/issues">link</a></p>', @formatter.new(text).to_html.strip |
61 | 61 |
end |
62 | 62 | |
63 |
def test_html_is_safe |
|
64 |
text = '<script>alert(1)</script> <b onclick="alert(1)">clickable</b> [bad link](javascript:alert(1\\))' |
|
65 |
assert_equal '<p>alert(1) <b>clickable</b> <a class="external">bad link</a></p>', @formatter.new(text).to_html.strip |
|
66 |
end |
|
67 | ||
63 | 68 |
end |
64 | 69 |
end |