From a19dd6a69f0ecd5d05b6b654b15c13db2e0aa875 Mon Sep 17 00:00:00 2001
From: albert <r888888888@gmail.com>
Date: Tue, 13 Sep 2011 15:19:07 -0400
Subject: [PATCH] added sanitize, fixes #26: Clicking the wiki link withing
 comments gives a "page does not exist" error

---
 Gemfile                        |  1 +
 Gemfile.lock                   |  8 ++++++++
 app/logical/d_text.rb          | 29 ++++++++++++++---------------
 app/views/notes/_note.html.erb |  2 +-
 app/views/posts/show.html.erb  |  2 +-
 5 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/Gemfile b/Gemfile
index 772def3a9..19d3fed03 100644
--- a/Gemfile
+++ b/Gemfile
@@ -27,6 +27,7 @@ gem "nokogiri"
 gem "meta_search", :git => "git://github.com/ernie/meta_search.git"
 gem "silent-postgres"
 gem "whenever", :require => false
+gem "sanitize", :git => "git://github.com/rgrove/sanitize.git"
 
 group :development do
   gem 'pry'
diff --git a/Gemfile.lock b/Gemfile.lock
index a81492771..e551de988 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -8,6 +8,13 @@ GIT
       activesupport (~> 3.1.0)
       polyamorous (~> 0.5.0)
 
+GIT
+  remote: git://github.com/rgrove/sanitize.git
+  revision: afdfa8f7f4129820c573f94f79b99aed715a385d
+  specs:
+    sanitize (2.0.3)
+      nokogiri (< 1.6, >= 1.4.4)
+
 GIT
   remote: http://github.com/EmmanuelOga/ffaker.git
   revision: f94bcf502fcdd4ba5f29155a3df1811af2663950
@@ -179,6 +186,7 @@ DEPENDENCIES
   pg
   pry
   rails (= 3.1.0)
+  sanitize!
   shoulda
   silent-postgres
   simple_form
diff --git a/app/logical/d_text.rb b/app/logical/d_text.rb
index 284d34962..de90e2ebd 100644
--- a/app/logical/d_text.rb
+++ b/app/logical/d_text.rb
@@ -11,11 +11,6 @@ class DText
   end
   
   def self.parse_inline(str, options = {})
-    str = parse_aliased_wiki_links(str)
-    str = parse_wiki_links(str)
-    str = parse_post_links(str)
-    str = parse_id_links(str)
-    
     str.gsub!(/\n/m, "<br>")
     str.gsub!(/\[b\](.+?)\[\/b\]/i, '<strong>\1</strong>')
     str.gsub!(/\[i\](.+?)\[\/i\]/i, '<em>\1</em>')
@@ -26,6 +21,10 @@ class DText
     str.gsub!(/\[url=(.+?)\](.+?)\[\/url\]/m) do
       %{<a href="#{u($1)}">#{h($2)}</a>}
     end
+    str = parse_aliased_wiki_links(str)
+    str = parse_wiki_links(str)
+    str = parse_post_links(str)
+    str = parse_id_links(str)
     str
   end
   
@@ -36,9 +35,9 @@ class DText
       wiki_page = WikiPage.find_title_and_id(title)
       
       if wiki_page
-        %{[url=/wiki_pages/#{wiki_page.id}]#{text}[/url]}
+        %{<a href="/wiki_pages/#{wiki_page.id}">#{text}</a>}
       else
-        %{[url=/wiki_pages/new?title=#{title}]#{text}[/url]}
+        %{<a href="/wiki_pages/new?title=#{title}">#{text}</url>}
       end
     end
   end
@@ -49,22 +48,22 @@ class DText
       wiki_page = WikiPage.find_title_and_id(title)
       
       if wiki_page
-        %{[url=/wiki_pages/#{wiki_page.id}]#{title}[/url]}
+        %{<a href="/wiki_pages/#{wiki_page.id}">#{title}</a>}
       else
-        %{[url=/wiki_pages/new?title=#{title}]#{title}[/url]}
+        %{<a href="/wiki_pages/new?wiki_page[title]=#{title}">#{title}</a>}
       end
     end
   end
   
   def self.parse_post_links(str)
-    str.gsub(/\{\{(.+?)\}\}/, %{[url=/posts?tags=\1]\1[/url]})
+    str.gsub(/\{\{(.+?)\}\}/, %{<a href="/posts?tags=\\1">\\1</a>})
   end
   
   def self.parse_id_links(str)
-    str = str.gsub(/\bpost #(\d+)/i, %{[url=/posts/\1]post #\1[/url]})
-    str = str.gsub(/\bforum #(\d+)/i, %{[url=/forum_posts/\1]forum #\1[/url]})
-    str = str.gsub(/\bcomment #(\d+)/i, %{[url=/comments/\1]comment #\1[/url]})
-    str = str.gsub(/\bpool #(\d+)/i, %{[url=/pools/\1]pool #\1[/url]})
+    str = str.gsub(/\bpost #(\d+)/i, %{<a href="/posts/\\1">post #\\1</a>})
+    str = str.gsub(/\bforum #(\d+)/i, %{<a href="/forum_posts/\\1">forum #\\1</a>})
+    str = str.gsub(/\bcomment #(\d+)/i, %{<a href="/comments/\\1">comment #\\1</a>})
+    str = str.gsub(/\bpool #(\d+)/i, %{<a href="/pools/\\1">pool #\\1</a>})
   end
   
   def self.parse_list(str, options = {})
@@ -151,7 +150,7 @@ class DText
       end
     end
 
-    html.join("").html_safe
+    Sanitize.clean(html.join(""), Sanitize::Config::BASIC).html_safe
   end
 end
 
diff --git a/app/views/notes/_note.html.erb b/app/views/notes/_note.html.erb
index 3c9d2503a..268bc839a 100644
--- a/app/views/notes/_note.html.erb
+++ b/app/views/notes/_note.html.erb
@@ -1 +1 @@
-<%= content_tag(:article, raw(note.body), "data-width" => note.width, "data-height" => note.height, "data-x" => note.x, "data-y" => note.y, "data-id" => note.id) %>
+<%= content_tag(:article, raw(Sanitize.clean(note.body)), "data-width" => note.width, "data-height" => note.height, "data-x" => note.x, "data-y" => note.y, "data-id" => note.id) %>
diff --git a/app/views/posts/show.html.erb b/app/views/posts/show.html.erb
index d7a810449..ff3dfb498 100644
--- a/app/views/posts/show.html.erb
+++ b/app/views/posts/show.html.erb
@@ -50,7 +50,7 @@
       </menu>
 
       <section id="comments">
-        <%= render "comments/partials/index/list", :comments => @post.comments, :post => @post, :show_header => false %>
+        <%= render "comments/partials/index/list", :comments => @post.comments.reverse, :post => @post, :show_header => false %>
       </section>
 
       <section id="notes">