diff options
| author | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-04-06 16:41:52 +0000 |
|---|---|---|
| committer | Jean-Philippe Lang <jp_lang@yahoo.fr> | 2017-04-06 16:41:52 +0000 |
| commit | 4f2c5a9945d0a1d83620f5cfb7eb8d19056edc34 (patch) | |
| tree | 42307586de2ec443f82ced267ab23b091450dc74 /lib/redmine/wiki_formatting | |
| parent | 281b26e2f548b4f79dfd2d59c8263d6b670c3304 (diff) | |
| download | redmine-4f2c5a9945d0a1d83620f5cfb7eb8d19056edc34.tar.gz redmine-4f2c5a9945d0a1d83620f5cfb7eb8d19056edc34.zip | |
Filter arbitrary class names and ids in rendered HTML output (#25503).
* Disallow setting arbitrary classes and ids via Textile syntax
* Only allow valid/supported languages for syntax highlighted code blocks
Patch by Jan Schulz-Hofen.
git-svn-id: http://svn.redmine.org/redmine/trunk@16502 e93f8b46-1217-0410-a6f0-8f06a7374b81
Diffstat (limited to 'lib/redmine/wiki_formatting')
| -rw-r--r-- | lib/redmine/wiki_formatting/markdown/formatter.rb | 2 | ||||
| -rw-r--r-- | lib/redmine/wiki_formatting/textile/formatter.rb | 10 | ||||
| -rw-r--r-- | lib/redmine/wiki_formatting/textile/redcloth3.rb | 12 |
3 files changed, 19 insertions, 5 deletions
diff --git a/lib/redmine/wiki_formatting/markdown/formatter.rb b/lib/redmine/wiki_formatting/markdown/formatter.rb index 4afbc2fdd..bfb04774c 100644 --- a/lib/redmine/wiki_formatting/markdown/formatter.rb +++ b/lib/redmine/wiki_formatting/markdown/formatter.rb @@ -35,7 +35,7 @@ module Redmine end def block_code(code, language) - if language.present? + if language.present? && Redmine::SyntaxHighlighting.language_supported?(language) "<pre><code class=\"#{CGI.escapeHTML language} syntaxhl\">" + Redmine::SyntaxHighlighting.highlight_by_language(code, language) + "</code></pre>" diff --git a/lib/redmine/wiki_formatting/textile/formatter.rb b/lib/redmine/wiki_formatting/textile/formatter.rb index 5862a1c62..8ff623a73 100644 --- a/lib/redmine/wiki_formatting/textile/formatter.rb +++ b/lib/redmine/wiki_formatting/textile/formatter.rb @@ -121,8 +121,14 @@ module Redmine text.gsub!(/<redpre#(\d+)>/) do content = @pre_list[$1.to_i] if content.match(/<code\s+class="(\w+)">\s?(.+)/m) - content = "<code class=\"#{$1} syntaxhl\">" + - Redmine::SyntaxHighlighting.highlight_by_language($2, $1) + language = $1 + text = $2 + if Redmine::SyntaxHighlighting.language_supported?(language) + content = "<code class=\"#{language} syntaxhl\">" + + Redmine::SyntaxHighlighting.highlight_by_language(text, language) + else + content = "<code>#{ERB::Util.h(text)}" + end end content end diff --git a/lib/redmine/wiki_formatting/textile/redcloth3.rb b/lib/redmine/wiki_formatting/textile/redcloth3.rb index bcb796ec6..d0bd217d3 100644 --- a/lib/redmine/wiki_formatting/textile/redcloth3.rb +++ b/lib/redmine/wiki_formatting/textile/redcloth3.rb @@ -494,7 +494,15 @@ class RedCloth3 < String style << "text-align:#{ h_align( $& ) };" if text =~ A_HLGN cls, id = $1, $2 if cls =~ /^(.*?)#(.*)$/ - + + # add wiki-class- and wiki-id- to classes and ids to prevent setting of + # arbitrary classes and ids + cls = cls.split(/\s+/).map do |c| + c.starts_with?('wiki-class-') ? c : "wiki-class-#{c}" + end.join(' ') if cls + + id = id.starts_with?('wiki-id-') ? id : "wiki-id-#{id}" if id + atts = '' atts << " style=\"#{ style.join }\"" unless style.empty? atts << " class=\"#{ cls }\"" unless cls.to_s.empty? @@ -1097,7 +1105,7 @@ class RedCloth3 < String first.match(/<#{ OFFTAGS }([^>]*)>/) tag = $1 $2.to_s.match(/(class\=("[^"]+"|'[^']+'))/i) - tag << " #{$1}" if $1 + tag << " #{$1}" if $1 && tag == 'code' @pre_list << "<#{ tag }>#{ aftertag }" end elsif $1 and codepre > 0 |