Fixes issue #3255 - In certain cases not all content of an html email is shown (HTML sanitizer will remove to much)

This commit is contained in:
Martin Edenhofer 2020-10-27 08:14:20 +01:00 committed by Thorsten Eckel
parent 0b9e6676f8
commit 16872c3c89
3 changed files with 25 additions and 3 deletions

View file

@ -1,6 +1,7 @@
# content of this tags will also be removed # content of this tags will also be removed
Rails.application.config.html_sanitizer_tags_remove_content = %w[ Rails.application.config.html_sanitizer_tags_remove_content = %w[
style style
comment
] ]
# content of this tags will will be inserted html quoted # content of this tags will will be inserted html quoted

View file

@ -28,9 +28,6 @@ satinize html string based on whiltelist
classes_whitelist = %w[js-signatureMarker yahoo_quoted] classes_whitelist = %w[js-signatureMarker yahoo_quoted]
attributes_2_css = %w[width height] attributes_2_css = %w[width height]
# remove html comments
string.gsub!(/<!--.+?-->/m, '')
scrubber_link = Loofah::Scrubber.new do |node| scrubber_link = Loofah::Scrubber.new do |node|
# wrap plain-text URLs in <a> tags # wrap plain-text URLs in <a> tags
@ -200,6 +197,15 @@ satinize html string based on whiltelist
string = new_string string = new_string
end end
scrubber_tag_remove = Loofah::Scrubber.new do |node|
# remove tags with subtree
next if tags_remove_content.exclude?(node.name)
node.remove
Loofah::Scrubber::STOP
end
string = Loofah.fragment(string).scrub!(scrubber_tag_remove).to_s
Loofah.fragment(string).scrub!(scrubber_link).to_s Loofah.fragment(string).scrub!(scrubber_link).to_s
end end
rescue Timeout::Error rescue Timeout::Error

View file

@ -104,6 +104,21 @@ style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MA
test 123 test 123
<blockquote></blockquote> <blockquote></blockquote>
</div>') </div>')
assert_equal(HtmlSanitizer.strict('<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div>123</div>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2" width="1" height="1">abc</a></div>'), '
<div>123</div>
<a href="#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2">abc</a>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>') assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>') assert_equal(HtmlSanitizer.strict('<table><tr style="font-size: 0px"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')
assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>') assert_equal(HtmlSanitizer.strict('<table><tr style="font-size:0"><td>123</td></tr></table>'), '<table><tr><td>123</td></tr></table>')