Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add sanitize duplicated domains in rich text form input (fixes #2019)

Browse source
This commit is contained in:
Ryan Lue 2018-07-16 15:23:57 +08:00
parent 02d0802099
commit 0b39137cd7
3 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
app/assets/javascripts/app/lib/app_post/utils.coffee
View file

@ -262,6 +262,10 @@ class App.Utils
# remove word markup # remove word markup
@_removeWordMarkup(html) @_removeWordMarkup(html)
# strip out browser-inserted (broken) link
# (see https://github.com/zammad/zammad/issues/2019)
@_stripDoubleDomainAnchors(html)
# remove tags, keep content # remove tags, keep content
html.find('font, small, time, form, label').replaceWith( -> html.find('font, small, time, form, label').replaceWith( ->
$(@).contents() $(@).contents()
@ -395,6 +399,15 @@ class App.Utils
return window.word_filter(html) return window.word_filter(html)
html html
@_stripDoubleDomainAnchors: (html) ->
html.find('a').each( ->
origHref = $(@).attr('href')
return if !origHref?
fixedHref = origHref.replace(/^https?:\/\/.*(?=(https?|#{config.http_type}):\/\/)/, '')
if origHref != fixedHref then $(@).attr('href', fixedHref)
)
# signatureNeeded = App.Utils.signatureCheck(message, signature) # signatureNeeded = App.Utils.signatureCheck(message, signature)
@signatureCheck: (message, signature) -> @signatureCheck: (message, signature) ->
messageText = $('<div>' + message + '</div>').text().trim() messageText = $('<div>' + message + '</div>').text().trim()

16
db/migrate/20180716060129_issue_2019_fix_double_domain_links_in_trigger_emails.rb Normal file
View file

@ -0,0 +1,16 @@
class Issue2019FixDoubleDomainLinksInTriggerEmails < ActiveRecord::Migration[5.1]
DOUBLE_DOMAIN_REGEX = %r{(?<=<a href=")https?://[^"]+(?=(https?|\#{config\.http_type})://.+?".*?>)}
def up
Trigger.where('perform LIKE ?', '%notification.email: %')
.find_each do |t|
email_response = t.perform['notification.email']
next if email_response.blank? || !email_response['body']&.match(DOUBLE_DOMAIN_REGEX)
email_response['body'] = email_response['body'].gsub(DOUBLE_DOMAIN_REGEX, '')
next if !t.perform_changed?
t.save
end
end
end

6
public/assets/tests/html_utils.js
View file

@ -651,6 +651,12 @@ test("htmlCleanup", function() {
result = App.Utils.htmlCleanup(source) result = App.Utils.htmlCleanup(source)
equal(result.get(0).outerHTML, should, source) equal(result.get(0).outerHTML, should, source)
// strip out browser-inserted (broken) link (see https://github.com/zammad/zammad/issues/2019)
source = "<div><a href=\"https://example.com/#{config.http_type}://#{config.fqdn}/#ticket/zoom/#{ticket.id}\">test</a></div>"
should = "<a href=\"#{config.http_type}://#{config.fqdn}/#ticket/zoom/#{ticket.id}\">test</a>"
result = App.Utils.htmlCleanup(source)
equal(result.html(), should, source)
source = "<table bgcolor=\"green\" aaa=\"1\" style=\"color: red\"><thead><tr style=\"margin-top: 10px\"><th colspan=\"2\" abc=\"a\" style=\"margin-top: 12px\">aaa</th></tr></thead><tbody><tr><td>value</td></tr></tbody></table>" source = "<table bgcolor=\"green\" aaa=\"1\" style=\"color: red\"><thead><tr style=\"margin-top: 10px\"><th colspan=\"2\" abc=\"a\" style=\"margin-top: 12px\">aaa</th></tr></thead><tbody><tr><td>value</td></tr></tbody></table>"
should = "<table bgcolor=\"green\" style=\"color:red;\"><thead><tr style=\"margin-top:10px;\"><th colspan=\"2\" style=\"margin-top:12px;\">aaa</th></tr></thead><tbody><tr><td>value</td></tr></tbody></table>" should = "<table bgcolor=\"green\" style=\"color:red;\"><thead><tr style=\"margin-top:10px;\"><th colspan=\"2\" style=\"margin-top:12px;\">aaa</th></tr></thead><tbody><tr><td>value</td></tr></tbody></table>"
result = App.Utils.htmlCleanup(source) result = App.Utils.htmlCleanup(source)