fully remove style tags in html sanitizer

test plan: * test the sanitizer through the api by creating or updating an object with html content (such as a wiki page body attribute) * the following html: <p><style>should ignore this text</style></p> * should be sanitized to: <p></p> fixes #CNVS-5828 Change-Id: I735f031eafdeeb8d7ae05fd977327fb3cc7e9251 Reviewed-on: https://gerrit.instructure.com/21689 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jeremy Stanley <jeremy@instructure.com> Product-Review: Jeremy Stanley <jeremy@instructure.com> QA-Review: Clare Strong <clare@instructure.com>
2013-06-24 12:31:55 -06:00 · 2013-06-24 12:31:55 -06:00 · 7d79140483
parent e370322471
commit 7d79140483
2 changed files with 10 additions and 1 deletions
--- a/spec/lib/sanitize_spec.rb
+++ b/spec/lib/sanitize_spec.rb
@ -93,6 +93,12 @@ describe Sanitize do
    res.should == %{<font face="Comic Sans MS" color="blue" size="3">hello</font>}
  end

+  it "should remove and not escape contents of style tags" do
+    str = %{<p><style type="text/css">pleaseignoreme: blahblahblah</style>but not me</p>}
+    res = Sanitize.clean(str, Instructure::SanitizeField::SANITIZE)
+    res.should == "<p>but not me</p>"
+  end
+
  Dir.glob(Rails.root.join('spec', 'fixtures', 'xss', '*.xss')) do |filename|
    name = File.split(filename).last
    it "should sanitize xss attempts for #{name}" do
--- a/vendor/plugins/sanitize_field/lib/sanitize_field.rb
+++ b/vendor/plugins/sanitize_field/lib/sanitize_field.rb
@ -139,7 +139,10 @@ module Instructure #:nodoc:
        /\Amargin-(?:bottom|left|right|top|offset)\z/,
        /\Apadding-(?:bottom|left|right|top)\z/
      ],
-      :transformers => lambda { |env| Instructure::SanitizeField.sanitize_style(env) if env[:node]['style'] }
+      :transformers => lambda { |env|
+        Instructure::SanitizeField.sanitize_style(env) if env[:node]['style']
+        Sanitize.clean_node!(env[:node], {:remove_contents => true}) if env[:node_name] == 'style'
+      }
    }

    module ClassMethods