0002-introduces-a-standalone-html-sanitizer-class.patch

Jens Krämer, 2022-10-04 13:32

Download (3.15 KB)

View differences:

lib/redmine/wiki_formatting/html_sanitizer.rb
1
module Redmine
2
  module WikiFormatting
3

  
4
    # Combination of SanitizationFilter and ExternalLinksFilter
5
    class HtmlSanitizer
6

  
7
      Pipeline = HTML::Pipeline.new([
8
        Redmine::WikiFormatting::CommonMark::SanitizationFilter,
9
        Redmine::WikiFormatting::CommonMark::ExternalLinksFilter,
10
      ], {})
11

  
12
      def self.call(html)
13
        result = Pipeline.call html
14
        result[:output].to_s
15
      end
16
    end
17

  
18
  end
19
end
test/unit/lib/redmine/wiki_formatting/html_sanitizer_test.rb
1
# frozen_string_literal: true
2

  
3
# Redmine - project management software
4
# Copyright (C) 2006-2021  Jean-Philippe Lang
5
#
6
# This program is free software; you can redistribute it and/or
7
# modify it under the terms of the GNU General Public License
8
# as published by the Free Software Foundation; either version 2
9
# of the License, or (at your option) any later version.
10
#
11
# This program is distributed in the hope that it will be useful,
12
# but WITHOUT ANY WARRANTY; without even the implied warranty of
13
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14
# GNU General Public License for more details.
15
#
16
# You should have received a copy of the GNU General Public License
17
# along with this program; if not, write to the Free Software
18
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
19

  
20
require File.expand_path('../../../../../test_helper', __FILE__)
21

  
22
class Redmine::WikiFormatting::HtmlSanitizerTest < ActiveSupport::TestCase
23

  
24
  def setup
25
    @sanitizer = Redmine::WikiFormatting::HtmlSanitizer
26
  end
27

  
28
  def test_should_allow_links_with_safe_url_schemes_and_append_external_class
29
    %w(http https ftp ssh foo).each do |scheme|
30
      input = %(<a href="#{scheme}://example.org/">foo</a>)
31
      assert_equal %(<a href="#{scheme}://example.org/" class="external">foo</a>), @sanitizer.call(input)
32
    end
33
  end
34

  
35
  def test_should_reject_links_with_unsafe_url_schemes
36
    input = %(<a href="javascript:alert('hello');">foo</a>)
37
    assert_equal "<a>foo</a>", @sanitizer.call(input)
38
  end
39
end
0
-