From fbbd4999b6b8f61a7b013c3797d7f9e3e5e96155 Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 25 Jul 2014 12:15:14 +1000 Subject: [PATCH] FIX: remove invalid hack, correct whitelist to use value returned from callback --- app/assets/javascripts/defer/html-sanitizer-bundle.js | 8 +++++++- app/assets/javascripts/discourse/lib/markdown.js | 9 --------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/app/assets/javascripts/defer/html-sanitizer-bundle.js b/app/assets/javascripts/defer/html-sanitizer-bundle.js index dfc23db40ed..7e524149a35 100644 --- a/app/assets/javascripts/defer/html-sanitizer-bundle.js +++ b/app/assets/javascripts/defer/html-sanitizer-bundle.js @@ -2057,7 +2057,13 @@ var html = (function(html4) { } // Discourse modification: give us more flexibility with whitelists - if (opt_nmTokenPolicy && opt_nmTokenPolicy(tagName, attribName, value)) { continue; } + if (opt_nmTokenPolicy) { + var newValue = opt_nmTokenPolicy(tagName, attribName, value); + if (newValue) { + attribs[i + 1] = newValue; + continue; + } + } if (atype !== null) { switch (atype) { diff --git a/app/assets/javascripts/discourse/lib/markdown.js b/app/assets/javascripts/discourse/lib/markdown.js index c7141dd6410..3903892741f 100644 --- a/app/assets/javascripts/discourse/lib/markdown.js +++ b/app/assets/javascripts/discourse/lib/markdown.js @@ -14,15 +14,6 @@ var _validClasses = {}, function validateAttribute(tagName, attribName, value) { var tag = _validTags[tagName]; - // Handle possible attacks - // if you include html in your markdown, it better be valid - // - // We are SUPER strict cause nokogiri will sometimes "correct" - // this stuff "incorrectly" - if(/[<>"'`]/.test(value)){ - return; - } - // Handle classes if (attribName === "class") { if (_validClasses[value]) { return value; }