diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2008-12-28 13:38:34 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2008-12-28 13:38:34 +0000 |
| commit | 35f5e36838952a20693c8d6fa2a926648739a975 (patch) | |
| tree | 7bd5d33f07129c82aea147bf6bcf6cf3c6056ff1 /lib/redcloth3.rb | |
| parent | a140c9bd7480c2ac93f22063575fb99ebf654be6 (diff) | |
| download | redmine-35f5e36838952a20693c8d6fa2a926648739a975.tar.gz redmine-35f5e36838952a20693c8d6fa2a926648739a975.zip | |
Disable textile inline styles to prevent XSS attacks (#2377).
git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2192 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'lib/redcloth3.rb')
| -rw-r--r-- | lib/redcloth3.rb | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/lib/redcloth3.rb b/lib/redcloth3.rb index 69332395b..ae17f6760 100644 --- a/lib/redcloth3.rb +++ b/lib/redcloth3.rb @@ -470,8 +470,7 @@ class RedCloth3 < String style << "vertical-align:#{ v_align( $& ) };" if text =~ A_VLGN end - style << "#{ htmlesc $1 };" if not filter_styles and - text.sub!( /\{([^}]*)\}/, '' ) + style << "#{ htmlesc $1 };" if text.sub!( /\{([^}]*)\}/, '' ) && !filter_styles lang = $1 if text.sub!( /\[([^)]+?)\]/, '' ) |