You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2016/10/04 13:54:05 UTC
allura git commit: Fix iframe sanitization so that closing tag is
okay, which had been putting closing tags in the wrong place
Repository: allura
Updated Branches:
refs/heads/master 0ae3e6d71 -> 779dc3345
Fix iframe sanitization so that closing tag is okay, which had been putting closing tags in the wrong place
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/779dc334
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/779dc334
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/779dc334
Branch: refs/heads/master
Commit: 779dc33455ca48f1a0f4b4ff8f845d4911663c59
Parents: 0ae3e6d
Author: Dave Brondsema <da...@brondsema.net>
Authored: Mon Oct 3 15:24:03 2016 -0400
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Mon Oct 3 15:24:03 2016 -0400
----------------------------------------------------------------------
Allura/allura/lib/utils.py | 12 ++++++++++++
Allura/allura/tests/test_globals.py | 2 +-
Allura/allura/tests/test_utils.py | 2 +-
3 files changed, 14 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/lib/utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/lib/utils.py b/Allura/allura/lib/utils.py
index 47352de..b75a7f8 100644
--- a/Allura/allura/lib/utils.py
+++ b/Allura/allura/lib/utils.py
@@ -22,6 +22,9 @@ import hashlib
import binascii
import logging.handlers
import codecs
+
+from html5lib.constants import tokenTypes
+
from ming.odm import session
import os.path
import datetime
@@ -558,13 +561,22 @@ class ForgeHTMLSanitizer(html5lib.sanitizer.HTMLSanitizer):
valid_iframe_srcs = ('https://www.youtube.com/embed/', 'https://www.gittip.com/')
+ _prev_token_was_ok_iframe = False
+
def sanitize_token(self, token):
if 'iframe' in self.allowed_elements:
self.allowed_elements.remove('iframe')
+ ok_opening_iframe = False
+
if token.get('name') == 'iframe':
attrs = dict(token.get('data'))
if attrs.get('src', '').startswith(self.valid_iframe_srcs):
self.allowed_elements.append('iframe')
+ ok_opening_iframe = True
+ elif token.get('type') == tokenTypes["EndTag"] and self._prev_token_was_ok_iframe:
+ self.allowed_elements.append('iframe')
+
+ self._prev_token_was_ok_iframe = ok_opening_iframe
return super(ForgeHTMLSanitizer, self).sanitize_token(token)
http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/tests/test_globals.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_globals.py b/Allura/allura/tests/test_globals.py
index 5d2148b..def99a0 100644
--- a/Allura/allura/tests/test_globals.py
+++ b/Allura/allura/tests/test_globals.py
@@ -174,7 +174,7 @@ def test_macro_gittip_button():
assert_equal(
r,
u'<div class="markdown_content"><p><iframe height="22pt" src="https://www.gittip.com/test/widget.html" '
- u'style="border: 0; margin: 0; padding: 0;" width="48pt"></iframe>\n</p></div>')
+ u'style="border: 0; margin: 0; padding: 0;" width="48pt"></iframe></p>\n</div>')
def test_macro_neighborhood_feeds():
http://git-wip-us.apache.org/repos/asf/allura/blob/779dc334/Allura/allura/tests/test_utils.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_utils.py b/Allura/allura/tests/test_utils.py
index fef8373..084aacd 100644
--- a/Allura/allura/tests/test_utils.py
+++ b/Allura/allura/tests/test_utils.py
@@ -263,7 +263,7 @@ class TestHTMLSanitizer(unittest.TestCase):
p = utils.ForgeHTMLSanitizer(
'<div><iframe src="https://www.youtube.com/embed/kOLpSPEA72U?feature=oembed"></iframe></div>')
assert_equal(
- self.simple_tag_list(p), ['div', 'iframe', 'div'])
+ self.simple_tag_list(p), ['div', 'iframe', 'iframe', 'div'])
def test_html_sanitizer_form_elements(self):
p = utils.ForgeHTMLSanitizer('<p>test</p><form method="post" action="http://localhost/foo.php"><input type=file><input type=text><textarea>asdf</textarea></form>')