FIX: BBCode sanitization and tests

This commit is contained in:
Robin Ward 2014-07-14 11:24:25 -04:00
parent 49eaaddba8
commit 186ce78cb5
3 changed files with 9 additions and 7 deletions

View File

@ -73,6 +73,7 @@ replaceBBCode('b', function(contents) { return ['span', {'class': 'bbcode-b'}].c
replaceBBCode('i', function(contents) { return ['span', {'class': 'bbcode-i'}].concat(contents); }); replaceBBCode('i', function(contents) { return ['span', {'class': 'bbcode-i'}].concat(contents); });
replaceBBCode('u', function(contents) { return ['span', {'class': 'bbcode-u'}].concat(contents); }); replaceBBCode('u', function(contents) { return ['span', {'class': 'bbcode-u'}].concat(contents); });
replaceBBCode('s', function(contents) { return ['span', {'class': 'bbcode-s'}].concat(contents); }); replaceBBCode('s', function(contents) { return ['span', {'class': 'bbcode-s'}].concat(contents); });
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-[bius]$/);
replaceBBCode('ul', function(contents) { return ['ul'].concat(contents); }); replaceBBCode('ul', function(contents) { return ['ul'].concat(contents); });
replaceBBCode('ol', function(contents) { return ['ol'].concat(contents); }); replaceBBCode('ol', function(contents) { return ['ol'].concat(contents); });
@ -100,6 +101,7 @@ replaceBBCodeParamsRaw("email", function(param, contents) {
replaceBBCodeParams("size", function(param, contents) { replaceBBCodeParams("size", function(param, contents) {
return ['span', {'class': "bbcode-size-" + (parseInt(param, 10) || 1)}].concat(contents); return ['span', {'class': "bbcode-size-" + (parseInt(param, 10) || 1)}].concat(contents);
}); });
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
// Handles `[code] ... [/code]` blocks // Handles `[code] ... [/code]` blocks
Discourse.Dialect.replaceBlock({ Discourse.Dialect.replaceBlock({
@ -112,3 +114,4 @@ Discourse.Dialect.replaceBlock({
return ['p', ['pre', ['code', {'class': Discourse.SiteSettings.default_code_lang}, inner]]]; return ['p', ['pre', ['code', {'class': Discourse.SiteSettings.default_code_lang}, inner]]];
} }
}); });

View File

@ -258,6 +258,4 @@ Discourse.Markdown.whiteListTag('span', 'bbcode-i');
Discourse.Markdown.whiteListTag('span', 'bbcode-u'); Discourse.Markdown.whiteListTag('span', 'bbcode-u');
Discourse.Markdown.whiteListTag('span', 'bbcode-s'); Discourse.Markdown.whiteListTag('span', 'bbcode-s');
Discourse.Markdown.whiteListTag('span', 'class', /^bbcode-size-\d+$/);
Discourse.Markdown.whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i); Discourse.Markdown.whiteListIframe(/^(https?:)?\/\/www\.google\.com\/maps\/embed\?.+/i);

View File

@ -1,12 +1,12 @@
module("Discourse.BBCode"); module("Discourse.BBCode");
var format = function(input, expected, text) { var format = function(input, expected, text) {
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false}); var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
equal(cooked, "<p>" + expected + "</p>", text); equal(cooked, "<p>" + expected + "</p>", text);
}; };
var formatQ = function(input, expected, text) { var formatQ = function(input, expected, text) {
var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false}); var cooked = Discourse.Markdown.cook(input, {lookupAvatar: false, sanitize: true});
equal(cooked, expected, text); equal(cooked, expected, text);
}; };
@ -15,7 +15,7 @@ test('basic bbcode', function() {
format("[i]emphasis[/i]", "<span class=\"bbcode-i\">emphasis</span>", "italics text"); format("[i]emphasis[/i]", "<span class=\"bbcode-i\">emphasis</span>", "italics text");
format("[u]underlined[/u]", "<span class=\"bbcode-u\">underlined</span>", "underlines text"); format("[u]underlined[/u]", "<span class=\"bbcode-u\">underlined</span>", "underlines text");
format("[s]strikethrough[/s]", "<span class=\"bbcode-s\">strikethrough</span>", "strikes-through text"); format("[s]strikethrough[/s]", "<span class=\"bbcode-s\">strikethrough</span>", "strikes-through text");
format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\"/>", "links images"); format("[img]http://eviltrout.com/eviltrout.png[/img]", "<img src=\"http://eviltrout.com/eviltrout.png\">", "links images");
format("[url]http://bettercallsaul.com[/url]", "<a href=\"http://bettercallsaul.com\">http://bettercallsaul.com</a>", "supports [url] without a title"); format("[url]http://bettercallsaul.com[/url]", "<a href=\"http://bettercallsaul.com\">http://bettercallsaul.com</a>", "supports [url] without a title");
format("[email]eviltrout@mailinator.com[/email]", "<a href=\"mailto:eviltrout@mailinator.com\">eviltrout@mailinator.com</a>", "supports [email] without a title"); format("[email]eviltrout@mailinator.com[/email]", "<a href=\"mailto:eviltrout@mailinator.com\">eviltrout@mailinator.com</a>", "supports [email] without a title");
format("[b]evil [i]trout[/i][/b]", format("[b]evil [i]trout[/i][/b]",
@ -37,7 +37,8 @@ test('code', function() {
test('spoiler', function() { test('spoiler', function() {
format("[spoiler]it's a sled[/spoiler]", "<span class=\"spoiler\">it's a sled</span>", "supports spoiler tags on text"); format("[spoiler]it's a sled[/spoiler]", "<span class=\"spoiler\">it's a sled</span>", "supports spoiler tags on text");
format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]", "<div class=\"spoiler\"><img src='http://eviltrout.com/eviltrout.png' width='50' height='50'></div>", "supports spoiler tags on images"); format("[spoiler]<img src='http://eviltrout.com/eviltrout.png' width='50' height='50'>[/spoiler]",
"<div class=\"spoiler\"><img src=\"http://eviltrout.com/eviltrout.png\" width=\"50\" height=\"50\"></div>", "supports spoiler tags on images");
}); });
test('lists', function() { test('lists', function() {
@ -105,7 +106,7 @@ test("quotes", function() {
"it doesn't insert a new line for italics"); "it doesn't insert a new line for italics");
format("[quote=,script='a'><script>alert('test');//':a][/quote]", format("[quote=,script='a'><script>alert('test');//':a][/quote]",
"<aside class=\"quote\" data-script=&#x27;a&#x27;&gt;&lt;script&gt;alert(&#x27;test&#x27;);//&#x27;=\"a\"><blockquote></blockquote></aside>", "<aside class=\"quote\" data-script=\"'a'&gt;&lt;script&gt;alert('test');//'=\"><blockquote></blockquote></aside>",
"It will not create a script tag within an attribute"); "It will not create a script tag within an attribute");
}); });