diff --git a/lib/html_sanitizer.rb b/lib/html_sanitizer.rb index 83f0c2aec..750a019f9 100644 --- a/lib/html_sanitizer.rb +++ b/lib/html_sanitizer.rb @@ -46,12 +46,15 @@ satinize html string based on whiltelist # prepare links if node['href'] - href = cleanup_target(node['href']) - if external && href.present? && !href.downcase.start_with?('//') && href.downcase !~ %r{^.{1,6}://.+?} - node['href'] = "http://#{node['href']}" - href = node['href'] + href = cleanup_target(node['href'], keep_spaces: true) + href_without_spaces = href.gsub(/[[:space:]]/, '') + if external && href_without_spaces.present? && !href_without_spaces.downcase.start_with?('//') && href_without_spaces.downcase !~ %r{^.{1,6}://.+?} + node['href'] = "http://#{node['href']}" + href = node['href'] + href_without_spaces = href.gsub(/[[:space:]]/, '') end - next if !href.downcase.start_with?('http', 'ftp', '//') + + next if !href_without_spaces.downcase.start_with?('http', 'ftp', '//') node.set_attribute('href', href) node.set_attribute('rel', 'nofollow noreferrer noopener') node.set_attribute('target', '_blank') @@ -372,9 +375,14 @@ cleanup html string: string.gsub('&', '&').gsub('<', '<').gsub('>', '>').gsub('"', '"').gsub(' ', ' ') end - def self.cleanup_target(string) + def self.cleanup_target(string, keep_spaces: false) string = CGI.unescape(string).encode('utf-8', 'binary', invalid: :replace, undef: :replace, replace: '?') - string.gsub(/[[:space:]]|\t|\n|\r/, '').gsub(%r{/\*.*?\*/}, '').gsub(//, '').gsub(/\[.+?\]/, '').delete("\u0000") + blank_regex = if keep_spaces + /\t|\n|\r/ + else + /[[:space:]]|\t|\n|\r/ + end + string.strip.gsub(blank_regex, '').gsub(%r{/\*.*?\*/}, '').gsub(//, '').gsub(/\[.+?\]/, '').delete("\u0000") end def self.url_same?(url_new, url_old) diff --git a/test/unit/aaa_string_test.rb b/test/unit/aaa_string_test.rb index f7b61ab6e..1ab4ddaef 100644 --- a/test/unit/aaa_string_test.rb +++ b/test/unit/aaa_string_test.rb @@ -648,7 +648,7 @@ Men-----------------------' assert_equal(result, html.html2html_strict) html = 'http://what-different.example.com' - result = "http://what-different.example.com" + result = "http://what-different.example.com" assert_equal(result, html.html2html_strict) html = 'http://EXAMPLE.com' diff --git a/test/unit/email_parser_test.rb b/test/unit/email_parser_test.rb index 389659fbd..1c1bc29df 100644 --- a/test/unit/email_parser_test.rb +++ b/test/unit/email_parser_test.rb @@ -940,7 +940,7 @@ end }, { data: IO.binread('test/fixtures/mail43.box'), - body_md5: '23cb094f443f41069b9f347a551e2e4d', + body_md5: 'a3b91a8969b54a67dd2154e70f74cc30', params: { from: 'Paula ', from_email: 'databases.en@example.com', @@ -973,7 +973,7 @@ end
  • Polen
  • Russland
  • Slowenien
    • -
  • Slowakei
    • +
  • Slowakei
  • Ukraine
    •

    Anwendungsmöglichkeiten für Geschäftskontakte

    • Newsletter senden - Senden von Werbung per E-Mail (besonders effizient).
    • diff --git a/test/unit/html_sanitizer_test.rb b/test/unit/html_sanitizer_test.rb index a9e9e629b..e084a63cc 100644 --- a/test/unit/html_sanitizer_test.rb +++ b/test/unit/html_sanitizer_test.rb @@ -54,9 +54,9 @@ class HtmlSanitizerTest < ActiveSupport::TestCase assert_equal(HtmlSanitizer.strict(' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-'), ' +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-') assert_equal(HtmlSanitizer.strict(''), '') assert_equal(HtmlSanitizer.strict('XSS'), 'XSS') +tt p://6 6.000146.0x7.147/">XSS'), 'XSS') assert_equal(HtmlSanitizer.strict('XSS', true), 'XSS') +tt p://6 6.000146.0x7.147/">XSS', true), 'XSS') assert_equal(HtmlSanitizer.strict('XSS'), 'XSS') assert_equal(HtmlSanitizer.strict('XSS', true), 'XSS') assert_equal(HtmlSanitizer.strict('
      '), 'X') @@ -113,7 +113,9 @@ test 123 assert_equal(HtmlSanitizer.strict('
      123
      '), '
      123
      ') assert_equal(HtmlSanitizer.strict('
      123
      '), '
      123
      ') assert_equal(HtmlSanitizer.strict('
      123
      '), '
      123
      ') - + assert_equal(HtmlSanitizer.strict('test'), 'test') + assert_equal(HtmlSanitizer.strict('test'), 'test') + assert_equal(HtmlSanitizer.strict('test'), 'test') end end