mirrors
/
redmine
şunun yansıması https://github.com/redmine/redmine.git
İzle 1
Yıldızla 0
Çatalla 0
Kod Sorunlar 0 Sürümler 199 Wiki Aktivite
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
18175 İşlemeler
33 Dallar
Ağaç: bcb2ebb6a0
Dallar Biçim İmleri
${ item.name }
Branş ${ searchTerm } oluştur
'bcb2ebb6a0'den
${ noResults }
redmine/lib/redmine/wiki_formatting/common_mark/sanitization_filter.rb

sanitization_filter.rb 4.5KB
Ham Blame Geçmiş

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. # frozen_string_literal: true

  2. 

  3. # Redmine - project management software

  4. # Copyright (C) 2006-  Jean-Philippe Lang

  5. #

  6. # This program is free software; you can redistribute it and/or

  7. # modify it under the terms of the GNU General Public License

  8. # as published by the Free Software Foundation; either version 2

  9. # of the License, or (at your option) any later version.

  10. #

  11. # This program is distributed in the hope that it will be useful,

  12. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  13. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  14. # GNU General Public License for more details.

  15. #

  16. # You should have received a copy of the GNU General Public License

  17. # along with this program; if not, write to the Free Software

  18. # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19. 

  20. module Redmine

  21.   module WikiFormatting

  22.     module CommonMark

  23.       # sanitizes rendered HTML using the Sanitize gem

  24.       class SanitizationFilter < HTML::Pipeline::SanitizationFilter

  25.         include Redmine::Helpers::URL

  26.         RELAXED_PROTOCOL_ATTRS = {

  27.           "a" => %w(href).freeze,

  28.         }.freeze

  29. 

  30.         ALLOWED_CSS_PROPERTIES = %w[

  31.           color background-color

  32.           width min-width max-width

  33.           height min-height max-height

  34.           padding padding-left padding-right padding-top padding-bottom

  35.           margin margin-left margin-right margin-top margin-bottom

  36.           border border-left border-right border-top border-bottom border-radius border-style border-collapse border-spacing

  37.           font font-style font-variant font-weight font-stretch font-size line-height font-family

  38.           text-align

  39.           float

  40.         ].freeze

  41. 

  42.         def allowlist

  43.           @allowlist ||= customize_allowlist(super.deep_dup)

  44.         end

  45. 

  46.         private

  47. 

  48.         # customizes the allowlist defined in

  49.         # https://github.com/jch/html-pipeline/blob/master/lib/html/pipeline/sanitization_filter.rb

  50.         def customize_allowlist(allowlist)

  51.           # Disallow `name` attribute globally, allow on `a`

  52.           allowlist[:attributes][:all].delete("name")

  53.           allowlist[:attributes]["a"].push("name")

  54. 

  55.           allowlist[:attributes][:all].push("style")

  56.           allowlist[:css] = { properties: ALLOWED_CSS_PROPERTIES }

  57. 

  58.           # allow class on code tags (this holds the language info from fenced

  59.           # code bocks and has the format language-foo)

  60.           allowlist[:attributes]["code"] = %w(class)

  61.           allowlist[:transformers].push lambda{|env|

  62.             node = env[:node]

  63.             return unless node.name == "code"

  64.             return unless node.has_attribute?("class")

  65. 

  66.             unless /\Alanguage-(\S+)\z/.match?(node["class"])

  67.               node.remove_attribute("class")

  68.             end

  69.           }

  70. 

  71.           # Allow table cell alignment by style attribute

  72.           #

  73.           # Only necessary if we used the TABLE_PREFER_STYLE_ATTRIBUTES

  74.           # commonmarker option (which we do not, currently).

  75.           # By default, the align attribute is used (which is allowed on all

  76.           # elements).

  77.           # allowlist[:attributes]["th"] = %w(style)

  78.           # allowlist[:attributes]["td"] = %w(style)

  79.           # allowlist[:css] = { properties: ["text-align"] }

  80. 

  81.           # Allow `id` in a and li elements for footnotes

  82.           # and remove any `id` properties not matching for footnotes

  83.           allowlist[:attributes]["a"].push "id"

  84.           allowlist[:attributes]["li"] = %w(id)

  85.           allowlist[:transformers].push lambda{|env|

  86.             node = env[:node]

  87.             return unless node.name == "a" || node.name == "li"

  88.             return unless node.has_attribute?("id")

  89.             return if node.name == "a" && node["id"] =~ /\Afnref-\d+\z/

  90.             return if node.name == "li" && node["id"] =~ /\Afn-\d+\z/

  91. 

  92.             node.remove_attribute("id")

  93.           }

  94. 

  95.           # https://github.com/rgrove/sanitize/issues/209

  96.           allowlist[:protocols].delete("a")

  97.           allowlist[:transformers].push lambda{|env|

  98.             node = env[:node]

  99.             return if node.type != Nokogiri::XML::Node::ELEMENT_NODE

  100. 

  101.             name = env[:node_name]

  102.             return unless RELAXED_PROTOCOL_ATTRS.include?(name)

  103. 

  104.             RELAXED_PROTOCOL_ATTRS[name].each do |attr|

  105.               next unless node.has_attribute?(attr)

  106. 

  107.               node[attr] = node[attr].strip

  108.               unless !node[attr].empty? && uri_with_link_safe_scheme?(node[attr])

  109.                 node.remove_attribute(attr)

  110.               end

  111.             end

  112.           }

  113. 

  114.           allowlist

  115.         end

  116.       end

  117.     end

  118.   end

  119. end