Project

General

Profile

Download (2.42 KB)

Patch #16087 » redmine-markdown-loofah.diff

the main patch - Charmander -, 2014-02-13 03:43

View differences:

Gemfile
32 32 
  group :markdown do
33 33 
    # TODO: upgrade to redcarpet 3.x when ruby1.8 support is dropped
34 34 
    gem "redcarpet", "~> 2.3.0"
35 
    gem "loofah", "~> 1.2.0"
35 36 
  end
36 37 
end
37 38 

  		












  

    
      lib/redmine/wiki_formatting/markdown/formatter.rb
    
  





  16
  16
  
    
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  		




  17
  17
  
    

  		




  18
  18
  
    
require 'cgi'

  		




  
  19
  
    
require 'loofah'

  		




  19
  20
  
    

  		




  20
  21
  
    
module Redmine

  		




  21
  22
  
    
  module WikiFormatting

  		




  ......




  57
  58
  
    
          html.gsub!(/(\w):"(.+?)"/) do

  		




  58
  59
  
    
            "#{$1}:\"#{$2}\""

  		




  59
  60
  
    
          end

  		




  60
  
  
    
          html

  		




  
  61
  
    
          # return scrubbed HTML

  		




  
  62
  
    
          Loofah.fragment(html).scrub!(:strip).to_s

  		




  61
  63
  
    
        end

  		




  62
  64
  
    

  		




  63
  65
  
    
        def get_section(index)

  		




  ......




  119
  121
  
    
        def formatter

  		




  120
  122
  
    
          @@formatter ||= Redcarpet::Markdown.new(

  		




  121
  123
  
    
            Redmine::WikiFormatting::Markdown::HTML.new(

  		




  122
  
  
    
              :filter_html => true,

  		




  123
  124
  
    
              :hard_wrap => true

  		




  124
  125
  
    
            ),

  		




  125
  126
  
    
            :autolink => true,

  		












  

    
      test/unit/lib/redmine/wiki_formatting/markdown_formatter.rb
    
  





  60
  60
  
    
    assert_equal '<p>This is a <a href="/issues">link</a></p>', @formatter.new(text).to_html.strip

  		




  61
  61
  
    
  end

  		




  62
  62
  
    

  		




  
  63
  
    
  def test_html_is_safe

  		




  
  64
  
    
    text = '<script>alert(1)</script> <b onclick="alert(1)">clickable</b> [bad link](javascript:alert(1\\))'

  		




  
  65
  
    
    assert_equal '<p>alert(1) <b>clickable</b> <a class="external">bad link</a></p>', @formatter.new(text).to_html.strip

  		




  
  66
  
    
  end

  		




  
  67
  
    

  		




  63
  68
  
    
  end

  		




  64
  69
  
    
end

  		















  (1-1/2)