You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2016/10/04 13:54:05 UTC

allura git commit: Fix iframe sanitization so that closing tag is okay, which had been putting closing tags in the wrong place

Repository: allura
Updated Branches:
  refs/heads/master 0ae3e6d71 -> 779dc3345


Fix iframe sanitization so that closing tag is okay, which had been putting closing tags in the wrong place


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/779dc334
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/779dc334
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/779dc334

Branch: refs/heads/master
Commit: 779dc33455ca48f1a0f4b4ff8f845d4911663c59
Parents: 0ae3e6d
Author: Dave Brondsema <da...@brondsema.net>
Authored: Mon Oct 3 15:24:03 2016 -0400
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Mon Oct 3 15:24:03 2016 -0400

----------------------------------------------------------------------
 Allura/allura/lib/utils.py          | 12 ++++++++++++
 Allura/allura/tests/test_globals.py |  2 +-
 Allura/allura/tests/test_utils.py   |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/lib/utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 47352de..b75a7f8 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -22,6 +22,9 @@ import hashlib
 import binascii
 import logging.handlers
 import codecs
+
+from html5lib.constants import tokenTypes
+
 from ming.odm import session
 import os.path
 import datetime
@@ -558,13 +561,22 @@ class ForgeHTMLSanitizer(html5lib.sanitizer.HTMLSanitizer):
 
     valid_iframe_srcs = ('https://www.youtube.com/embed/', 'https://www.gittip.com/')
 
+    _prev_token_was_ok_iframe = False
+
     def sanitize_token(self, token):
         if 'iframe' in self.allowed_elements:
             self.allowed_elements.remove('iframe')
+        ok_opening_iframe = False
+
         if token.get('name') == 'iframe':
             attrs = dict(token.get('data'))
             if attrs.get('src', '').startswith(self.valid_iframe_srcs):
                 self.allowed_elements.append('iframe')
+                ok_opening_iframe = True
+            elif token.get('type') == tokenTypes["EndTag"] and self._prev_token_was_ok_iframe:
+                self.allowed_elements.append('iframe')
+
+        self._prev_token_was_ok_iframe = ok_opening_iframe
         return super(ForgeHTMLSanitizer, self).sanitize_token(token)
 
 

http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/tests/test_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_globals.py b/Allura/allura/tests/test_globals.py
index 5d2148b..def99a0 100644
--- a/Allura/allura/tests/test_globals.py
+++ b/Allura/allura/tests/test_globals.py
@@ -174,7 +174,7 @@ def test_macro_gittip_button():
     assert_equal(
         r,
         u'<div class="markdown_content"><p><iframe height="22pt" src="https://www.gittip.com/test/widget.html" '
-        u'style="border: 0; margin: 0; padding: 0;" width="48pt"></iframe>\n</p></div>')
+        u'style="border: 0; margin: 0; padding: 0;" width="48pt"></iframe></p>\n</div>')
 
 
 def test_macro_neighborhood_feeds():

http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/tests/test_utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_utils.py b/Allura/allura/tests/test_utils.py
index fef8373..084aacd 100644
--- a/Allura/allura/tests/test_utils.py
+++ b/Allura/allura/tests/test_utils.py
@@ -263,7 +263,7 @@ class TestHTMLSanitizer(unittest.TestCase):
         p = utils.ForgeHTMLSanitizer(
             '<div><iframe src="https://www.youtube.com/embed/kOLpSPEA72U?feature=oembed"></iframe></div>')
         assert_equal(
-            self.simple_tag_list(p), ['div', 'iframe', 'div'])
+            self.simple_tag_list(p), ['div', 'iframe', 'iframe', 'div'])
 
     def test_html_sanitizer_form_elements(self):
         p = utils.ForgeHTMLSanitizer('<p>test</p><form method="post" action="http://localhost/foo.php"><input type=file><input type=text><textarea>asdf</textarea></form>')