From 869ccad6ba87d8d7ca848b0254a59065b7456bf8 Mon Sep 17 00:00:00 2001 From: evazion Date: Thu, 15 Jun 2017 20:34:38 -0500 Subject: [PATCH] notes: allow all elements to have style/title attributes. --- app/logical/note_sanitizer.rb | 24 ++++++++++++++++-------- test/unit/note_sanitizer_test.rb | 5 +++++ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/app/logical/note_sanitizer.rb b/app/logical/note_sanitizer.rb index baf53bfd0..ad486bdf4 100644 --- a/app/logical/note_sanitizer.rb +++ b/app/logical/note_sanitizer.rb @@ -1,17 +1,25 @@ module NoteSanitizer + ALLOWED_ELEMENTS = %w( + code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em + strong small big b i font u s pre ruby rb rt rp + ) + + ALLOWED_ATTRIBUTES = { + :all => %w(style title), + "a" => %w(href), + "span" => %w(class), + "div" => %w(class align), + "p" => %w(class align), + "font" => %w(color size), + } + def self.sanitize(text) text.gsub!(/<( |-|3|:|>|\Z)/, "<\\1") Sanitize.clean( text, - :elements => %w(code center tn h1 h2 h3 h4 h5 h6 a span div blockquote br p ul li ol em strong small big b i font u s pre ruby rb rt rp), - :attributes => { - "a" => %w(href title style), - "span" => %w(class style), - "div" => %w(class style align), - "p" => %w(class style align), - "font" => %w(color size style) - }, + :elements => ALLOWED_ELEMENTS, + :attributes => ALLOWED_ATTRIBUTES, :protocols => { "a" => { "href" => ["http", "https", :relative] diff --git a/test/unit/note_sanitizer_test.rb b/test/unit/note_sanitizer_test.rb index 8a089825d..3394219ea 100644 --- a/test/unit/note_sanitizer_test.rb +++ b/test/unit/note_sanitizer_test.rb @@ -11,5 +11,10 @@ class NoteSanitizerTest < ActiveSupport::TestCase body = '

test

' assert_equal("

test

", NoteSanitizer.sanitize(body)) end + + should "allow style attributes on every tag" do + body = '

test

' + assert_equal('

test

', NoteSanitizer.sanitize(body)) + end end end