Disable textile inline styles to prevent XSS attacks (#2377).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2192 e93f8b46-1217-0410-a6f0-8f06a7374b81
pull/351/head
Jean-Philippe Lang 16 years ago
parent a140c9bd74
commit 35f5e36838
  1. 3
      lib/redcloth3.rb
  2. 1
      lib/redmine/wiki_formatting/textile/formatter.rb
  3. 3
      test/unit/helpers/application_helper_test.rb

@ -470,8 +470,7 @@ class RedCloth3 < String
style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN
end
style << "#{ htmlesc $1 };" if not filter_styles and
text.sub!( /\{([^}]*)\}/, '' )
style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles
lang = $1 if
text.sub!( /\[([^)]+?)\]/, '' )

@ -30,6 +30,7 @@ module Redmine
super
self.hard_breaks=true
self.no_span_caps=true
self.filter_styles=true
end
def to_html(*rules, &block)

@ -69,7 +69,8 @@ class ApplicationHelperTest < HelperTestCase
'!http://foo.bar/image.jpg!' => '<img src="http://foo.bar/image.jpg" alt="" />',
'floating !>http://foo.bar/image.jpg!' => 'floating <div style="float:right"><img src="http://foo.bar/image.jpg" alt="" /></div>',
'with class !(some-class)http://foo.bar/image.jpg!' => 'with class <img src="http://foo.bar/image.jpg" class="some-class" alt="" />',
'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" style="width:100px;height100px;" alt="" />',
# inline styles should be stripped
'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" alt="" />',
'with title !http://foo.bar/image.jpg(This is a title)!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a title" alt="This is a title" />',
'with title !http://foo.bar/image.jpg(This is a double-quoted "title")!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a double-quoted &quot;title&quot;" alt="This is a double-quoted &quot;title&quot;" />',
}

Loading…
Cancel
Save