From db2f36ed70fdd708726d859b3c2c44614cefe0dc Mon Sep 17 00:00:00 2001 From: Trevor Hills Date: Mon, 23 May 2016 17:49:16 +1200 Subject: [PATCH] Allow regex expressions in attribute whitelist. --- core/lib/refinery/core/configuration.rb | 3 +- .../refinery/pages/section_presenter.rb | 39 ++++++++++++++++--- .../refinery/pages/section_presenter_spec.rb | 15 +++++++ 3 files changed, 50 insertions(+), 7 deletions(-) diff --git a/core/lib/refinery/core/configuration.rb b/core/lib/refinery/core/configuration.rb index 4227586dbe..b90b0605a2 100644 --- a/core/lib/refinery/core/configuration.rb +++ b/core/lib/refinery/core/configuration.rb @@ -9,7 +9,7 @@ module Core :s3_secret_access_key, :force_ssl, :backend_route, :dragonfly_custom_backend_class, :dragonfly_custom_backend_opts, :visual_editor_javascripts, :visual_editor_stylesheets, - :plugin_priority, :refinery_logout_path + :plugin_priority, :refinery_logout_path, :regex_white_list self.rescue_not_found = false self.s3_backend = false @@ -32,6 +32,7 @@ module Core self.visual_editor_javascripts = [] self.visual_editor_stylesheets = [] self.plugin_priority = [] + self.regex_white_list = false def config.register_javascript(name) self.javascripts << name diff --git a/pages/app/presenters/refinery/pages/section_presenter.rb b/pages/app/presenters/refinery/pages/section_presenter.rb index 9c566a64f2..28324a514e 100644 --- a/pages/app/presenters/refinery/pages/section_presenter.rb +++ b/pages/app/presenters/refinery/pages/section_presenter.rb @@ -50,7 +50,7 @@ def not_present_css_class "no_#{id}" end - protected + protected def content_html(can_use_fallback) override_html.presence || html_from_fallback(can_use_fallback) @@ -60,7 +60,7 @@ def html_from_fallback(can_use_fallback) fallback_html.presence if can_use_fallback end - private + private attr_writer :id, :fallback_html, :hidden @@ -69,10 +69,15 @@ def wrap_content_in_tag(content) end def sanitize_content(input) - output = sanitize(input, - tags: Refinery::Pages::whitelist_elements, - attributes: Refinery::Pages::whitelist_attributes - ) + output = + if Refinery::Core.regex_white_list + sanitize(input, scrubber: CustomScrubber.new(Refinery::Pages::whitelist_elements, Refinery::Pages::whitelist_attributes)) + else + sanitize(input, + tags: Refinery::Pages::whitelist_elements, + attributes: Refinery::Pages::whitelist_attributes + ) + end if input != output warning = "\n-- SANITIZED CONTENT WARNING --\n" @@ -85,5 +90,27 @@ def sanitize_content(input) return output end end + + class CustomScrubber < Rails::Html::PermitScrubber + def initialize(tags, attributes) + @direction = :bottom_up + @tags = tags + @attributes = attributes + @all_regex = create_regexs + end + + def scrub_attribute?(name) + !name.match(@all_regex) + end + + private + + def create_regexs + reg = @attributes.map do |attr| + Regexp.new(attr) + end + Regexp.union(reg) + end + end end end diff --git a/pages/spec/presenters/refinery/pages/section_presenter_spec.rb b/pages/spec/presenters/refinery/pages/section_presenter_spec.rb index d2c321ea0c..76a959f9e0 100644 --- a/pages/spec/presenters/refinery/pages/section_presenter_spec.rb +++ b/pages/spec/presenters/refinery/pages/section_presenter_spec.rb @@ -95,6 +95,21 @@ module Pages ) end end + + context 'wild cards in attribute whitelist' do + it 'will allow matched attributes' do + Refinery::Core.regex_white_list = true + allow(Refinery::Pages).to receive(:whitelist_attributes) {%w(data-.*)} + section = SectionPresenter.new + section.override_html = %Q{} + expect(section.wrapped_html(true)).to xml_eq( + %Q{
} + ) + + end + end + + end describe "#sanitize_content" do