]> source.dussan.org Git - redmine.git/commitdiff
Disable textile inline styles to prevent XSS attacks (#2377).
authorJean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 28 Dec 2008 13:38:34 +0000 (13:38 +0000)
committerJean-Philippe Lang <jp_lang@yahoo.fr>
Sun, 28 Dec 2008 13:38:34 +0000 (13:38 +0000)
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2192 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redcloth3.rb
lib/redmine/wiki_formatting/textile/formatter.rb
test/unit/helpers/application_helper_test.rb

index 69332395bd9fcdb1da6435807619addbcc1cca8e..ae17f6760e1a09ca4c6253ac6a3e5106fc170f33 100644 (file)
@@ -470,8 +470,7 @@ class RedCloth3 < String
             style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN
         end
 
-        style << "#{ htmlesc $1 };" if not filter_styles and
-            text.sub!( /\{([^}]*)\}/, '' )
+        style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles
 
         lang = $1 if
             text.sub!( /\[([^)]+?)\]/, '' )
index 1a198233cab33b04547cea0d3e3727a90dfa376a..b55287ba461809f600f5eb4417b475143ee0f88e 100644 (file)
@@ -30,6 +30,7 @@ module Redmine
           super
           self.hard_breaks=true
           self.no_span_caps=true
+          self.filter_styles=true
         end
         
         def to_html(*rules, &block)
index 261614d3f7dac782481d024977d36a31b11840d9..5f1a58935742ad5bafb50b33003391141b0cedd2 100644 (file)
@@ -69,7 +69,8 @@ class ApplicationHelperTest < HelperTestCase
       '!http://foo.bar/image.jpg!' => '<img src="http://foo.bar/image.jpg" alt="" />',
       'floating !>http://foo.bar/image.jpg!' => 'floating <div style="float:right"><img src="http://foo.bar/image.jpg" alt="" /></div>',
       'with class !(some-class)http://foo.bar/image.jpg!' => 'with class <img src="http://foo.bar/image.jpg" class="some-class" alt="" />',
-      'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" style="width:100px;height100px;" alt="" />',
+      # inline styles should be stripped
+      'with style !{width:100px;height100px}http://foo.bar/image.jpg!' => 'with style <img src="http://foo.bar/image.jpg" alt="" />',
       'with title !http://foo.bar/image.jpg(This is a title)!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a title" alt="This is a title" />',
       'with title !http://foo.bar/image.jpg(This is a double-quoted "title")!' => 'with title <img src="http://foo.bar/image.jpg" title="This is a double-quoted &quot;title&quot;" alt="This is a double-quoted &quot;title&quot;" />',
     }