Improved removing of html comments.

This commit is contained in:
Martin Edenhofer 2017-11-21 08:24:03 +01:00
parent 17ce2dcbde
commit 3417618798
3 changed files with 38 additions and 4 deletions

View file

@ -9,7 +9,7 @@ module ChecksHtmlSanitized
def sanitized_html_attributes
html_attributes = self.class.instance_variable_get(:@sanitized_html) || []
return true if html_attributes.empty?
return true if html_attributes.blank?
html_attributes.each do |attribute|
value = send(attribute)

View file

@ -19,6 +19,9 @@ satinize html string based on whiltelist
classes_whitelist = ['js-signatureMarker']
attributes_2_css = %w(width height)
# remove html comments
string.gsub!(/<!--.+?-->/m, '')
scrubber_link = Loofah::Scrubber.new do |node|
# check if href is different to text
@ -64,7 +67,7 @@ satinize html string based on whiltelist
urls.push match[1].to_s.strip
end
end
next if urls.empty?
next if urls.blank?
add_link(node.content, urls, node)
end
end
@ -136,7 +139,7 @@ satinize html string based on whiltelist
# move style attributes to css attributes
attributes_2_css.each do |key|
next if !node[key]
if node['style'].empty?
if node['style'].blank?
node['style'] = ''
else
node['style'] += ';'
@ -343,7 +346,7 @@ cleanup html string:
end
def self.add_link(content, urls, node)
if urls.empty?
if urls.blank?
text = Nokogiri::XML::Text.new(content, node.document)
node.add_next_sibling(text)
return

View file

@ -75,6 +75,37 @@ tt p://6 6.000146.0x7.147/">XSS</A>', true), 'XSS (<a href="http://66.000146.0x
assert_equal(HtmlSanitizer.strict('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>'), 'alert(1)')
assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>'), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank">http://example.com</a>')
assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', true), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank">http://example.com</a>')
assert_equal(HtmlSanitizer.strict('<div>
<style type="text/css">#outlook A {
.content { WIDTH: 100%; MAX-WIDTH: 740px }
A { COLOR: #666666; TEXT-DECORATION: none }
A:link { COLOR: #666666; TEXT-DECORATION: none }
A:hover { COLOR: #666666; TEXT-DECORATION: none }
A:active { COLOR: #666666; TEXT-DECORATION: none }
A:focus { COLOR: #666666; TEXT-DECORATION: none }
BODY { FONT-FAMILY: Calibri, Arial, Verdana, sans-serif }
</style>
<!--[if (gte mso 9)|(IE)]>
<META name=GENERATOR content="MSHTML 9.00.8112.16800"></HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial></FONT>&nbsp;</DIV>
<BLOCKQUOTE
style="BORDER-LEFT: #000000 2px solid; PADDING-LEFT: 5px; PADDING-RIGHT: 0px; MARGIN-LEFT: 5px; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=smith.test@example.dk
href="mailto:smith.test@example.dk">smith.test@example.dk</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Friday, November 10, 2017 9:11
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Din bestilling hos
example.dk - M123 - KD1234</DIV>
<div>&nbsp;</div>
<![endif]-->test 123
<blockquote></div>'), '<div>
test 123
<blockquote></blockquote>
</div>')
end
end