Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: BBCode sanitization and tests

This commit is contained in:
Robin Ward 2014-07-14 11:24:25 -04:00
parent 49eaaddba8
commit 186ce78cb5
3 changed files with 9 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/discourse/dialects/bbcode_dialect.js
View File

@ -73,6 +73,7 @@ replaceBBCode('b', function(contents) { return ['span', {'class': 'bbcode-b'}].c
replaceBBCode('i', function(contents) { return ['span', {'class': 'bbcode-i'}].concat(contents); });
replaceBBCode('u', function(contents) { return ['span', {'class': 'bbcode-u'}].concat(contents); });
replaceBBCode('s', function(contents) { return ['span', {'class': 'bbcode-s'}].concat(contents); });
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-[bius]$/);
replaceBBCode('ul', function(contents) { return ['ul'].concat(contents); });
replaceBBCode('ol', function(contents) { return ['ol'].concat(contents); });
@ -100,6 +101,7 @@ replaceBBCodeParamsRaw("email", function(param, contents) {
replaceBBCodeParams("size", function(param, contents) {
return ['span', {'class': "bbcode-size-" + (parseInt(param, 10) || 1)}].concat(contents);
});
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
// Handles `[code] ... [/code]` blocks
Discourse.Dialect.replaceBlock({
@ -112,3 +114,4 @@ Discourse.Dialect.replaceBlock({
return ['p', ['pre', ['code', {'class': Discourse.SiteSettings.default_code_lang}, inner]]];
}
});

2
app/assets/javascripts/discourse/lib/markdown.js
View File

@ -258,6 +258,4 @@ Discourse.Markdown.whiteListTag('span', 'bbcode-i');
Discourse.Markdown.whiteListTag('span', 'bbcode-u');
Discourse.Markdown.whiteListTag('span', 'bbcode-s');
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
Discourse.Markdown.whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i);

11
test/javascripts/lib/bbcode_test.js
View File

@ -1,12 +1,12 @@
module("Discourse.BBCode");
var format = function(input, expected, text) {
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false});
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
equal(cooked, "<p>" + expected + "</p>", text);
};
var formatQ = function(input, expected, text) {
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false});
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
equal(cooked, expected, text);
};
@ -15,7 +15,7 @@ test('basic bbcode', function() {
format("[i]emphasis[/i]", "<span class=\"bbcode-i\">emphasis</span>", "italics text");
format("[u]underlined[/u]", "<span class=\"bbcode-u\">underlined</span>", "underlines text");
format("[s]strikethrough[/s]", "<span class=\"bbcode-s\">strikethrough</span>", "strikes-through text");
format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\"/>", "links images");
format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\">", "links images");
format("[url]http://bettercallsaul.com[/url]", "<a href=\"http://bettercallsaul.com\">http://bettercallsaul.com</a>", "supports [url] without a title");
format("[email]eviltrout@mailinator.com[/email]", "<a href=\"mailto:eviltrout@mailinator.com\">eviltrout@mailinator.com</a>", "supports [email] without a title");
format("[b]evil [i]trout[/i][/b]",
@ -37,7 +37,8 @@ test('code', function() {
test('spoiler', function() {
format("[spoiler]it's a sled[/spoiler]", "<span class=\"spoiler\">it's a sled</span>", "supports spoiler tags on text");
format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]", "<div class=\"spoiler\"><img src='http://eviltrout.com/eviltrout.png' width='50' height='50'></div>", "supports spoiler tags on images");
format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]",
"<div class=\"spoiler\"><img src=\"http://eviltrout.com/eviltrout.png\" width=\"50\" height=\"50\"></div>", "supports spoiler tags on images");
});
test('lists', function() {
@ -105,7 +106,7 @@ test("quotes", function() {
"it doesn't insert a new line for italics");
format("[quote=,script='a'><script>alert('test');//':a][/quote]",
"<aside class=\"quote\" data-script=&#x27;a&#x27;&gt;&lt;script&gt;alert(&#x27;test&#x27;);//&#x27;=\"a\"><blockquote></blockquote></aside>",
"<aside class=\"quote\" data-script=\"'a'&gt;&lt;script&gt;alert('test');//'=\"><blockquote></blockquote></aside>",
"It will not create a script tag within an attribute");
});