Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.3:Update
rubygem-rails-html-sanitizer
CVE-2015-7579.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2015-7579.patch of Package rubygem-rails-html-sanitizer
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb index f40bf6b..68ae6d2 100644 --- a/lib/rails/html/sanitizer.rb +++ b/lib/rails/html/sanitizer.rb @@ -13,6 +13,10 @@ module Rails node.xpath(*xpaths).remove node end + + def properly_encode(fragment, options) + fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options) + end end # === Rails::Html::FullSanitizer @@ -26,9 +30,12 @@ module Rails return unless html return html if html.empty? - Loofah.fragment(html).tap do |fragment| - remove_xpaths(fragment, XPATHS_TO_REMOVE) - end.text(options) + loofah_fragment = Loofah.fragment(html) + + remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE) + loofah_fragment.scrub!(TextOnlyScrubber.new) + + properly_encode(loofah_fragment, encoding: 'UTF-8') end end @@ -140,10 +147,6 @@ module Rails def allowed_attributes(options) options[:attributes] || self.class.allowed_attributes end - - def properly_encode(fragment, options) - fragment.xml? ? fragment.to_xml(options) : fragment.to_html(options) - end end end end diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb index 7cc5591..401eab9 100644 --- a/lib/rails/html/scrubbers.rb +++ b/lib/rails/html/scrubbers.rb @@ -169,5 +169,25 @@ module Rails @attributes.include?(name) end end + + # === Rails::Html::TextOnlyScrubber + # + # Rails::Html::TextOnlyScrubber allows you to permit text nodes. + # + # Unallowed elements will be stripped, i.e. element is removed but its subtree kept. + class TextOnlyScrubber < Loofah::Scrubber + def initialize + @direction = :bottom_up + end + + def scrub(node) + if node.text? + CONTINUE + else + node.before node.children + node.remove + end + end + end end end
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor