Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: remove invalid hack, correct whitelist to use value returned from callback

This commit is contained in:
Sam 2014-07-25 12:15:14 +10:00
parent f2b554be13
commit fbbd4999b6
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/assets/javascripts/defer/html-sanitizer-bundle.js
View File

@ -2057,7 +2057,13 @@ var html = (function(html4) {
} }
// Discourse modification: give us more flexibility with whitelists // Discourse modification: give us more flexibility with whitelists
if (opt_nmTokenPolicy && opt_nmTokenPolicy(tagName, attribName, value)) { continue; } if (opt_nmTokenPolicy) {
var newValue = opt_nmTokenPolicy(tagName, attribName, value);
if (newValue) {
attribs[i + 1] = newValue;
continue;
}
}
if (atype !== null) { if (atype !== null) {
switch (atype) { switch (atype) {

9
app/assets/javascripts/discourse/lib/markdown.js
View File

@ -14,15 +14,6 @@ var _validClasses = {},
function validateAttribute(tagName, attribName, value) { function validateAttribute(tagName, attribName, value) {
var tag = _validTags[tagName]; var tag = _validTags[tagName];
// Handle possible attacks
// if you include html in your markdown, it better be valid
//
// We are SUPER strict cause nokogiri will sometimes "correct"
// this stuff "incorrectly"
if(/[<>"'`]/.test(value)){
return;
}
// Handle classes // Handle classes
if (attribName === "class") { if (attribName === "class") {
if (_validClasses[value]) { return value; } if (_validClasses[value]) { return value; }