Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Html whitelist #3164

Merged
merged 1 commit into from
Apr 20, 2016
Merged

Html whitelist #3164

merged 1 commit into from
Apr 20, 2016

Conversation

bricesanchez
Copy link
Member

This PR replaces #3154, it's just a rebase on master.

@bricesanchez bricesanchez mentioned this pull request Apr 19, 2016
Closed
@bricesanchez bricesanchez added this to the 3.0.3 milestone Apr 19, 2016
@anitagraham
Copy link
Contributor

Thankyou for the rescue @bricesanchez

@bricesanchez
Copy link
Member Author

You're welcome!

@bricesanchez
Copy link
Member Author

@parndt, it's ready to be merged if you're ok.

@parndt parndt merged commit aae503b into master Apr 20, 2016
@parndt parndt deleted the HTML_Whitelist-rebase branch April 20, 2016 22:51
@bricesanchez bricesanchez mentioned this pull request Apr 22, 2016
Closed
@sintro
Copy link

sintro commented Jun 16, 2016
edited
Loading

Ok, and how I can remove some elements from whitelist? If I want to disable the possibility of including <script> in pages body for example?

@parndt
Copy link
Member

parndt commented Jun 16, 2016

<script> tags should already be disabled?

@anitagraham
Copy link
Contributor

Well I suppose, if it were required we could include a blacklist if there was a demand (taking @parndt 's comment into consideration).

@sintro
Copy link

sintro commented Jun 17, 2016
edited
Loading

@parndt , I just tried to save <script>alert('hello')</script>; (by switching to HTML editor), and after that I successfully alerted when opened that page.
By reading this

refinerycms/pages/lib/refinery/pages/configuration.rb

Line 32 in c793da0

Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS.merge(config.add_whitelist_elements)
line I see, that there are only Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS whitelisted elements, which does not include 'script' tag. So I am sure it is rendered by =raw @page.content_for(:body), which I use in page`s template. Probably, to prevent script from being displayed I should use more complex way of rendering, like it is in

refinerycms/pages/app/presenters/refinery/pages/section_presenter.rb

Line 71 in c793da0

def sanitize_content(input)
, but the question is actual anyway - what if I want to remove some of these https://github.com/flavorjones/loofah/blob/2b2b5aa184d6127ac666931112faa6370f01a389/lib/loofah/html5/whitelist.rb#L49 tags?

@bricesanchez
Copy link
Member Author

bricesanchez commented Jun 17, 2016
edited
Loading

@sintro

Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS whitelisted elements, which does not include 'script'

Which is not explicitly whitelisted is forbidden.

So I am sure it is rendered by =raw @page.content_for(:body)

The HTML sanitizer is for frontend only, so <script> tags could be recorded in backend but they won't rendered in frontend.

@sintro
Copy link

sintro commented Jun 17, 2016

@bricesanchez , exactly, that is what I have noticed in #3164 (comment), but the question is still here: what if I want to disable some of ALLOWED_ELEMENTS`s default tags?

@bricesanchez
Copy link
Member Author

@sintro Ok, i understand. So you will have to override the Refinery::Pages configurable class if you want to disable more tags in frontend :

refinerycms/pages/lib/refinery/pages/configuration.rb

Lines 31 to 33 in c793da0

def whitelist_elements
Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS.merge(config.add_whitelist_elements)
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@parndt parndt

Labels
3-0-stable
Projects
None yet
Milestone
3.0.3
Development

Successfully merging this pull request may close these issues.
4 participants
@bricesanchez @anitagraham @sintro @parndt