FIX: Do not allow users to create tables

2024-11-23 23:58:31 -05:00 · 2013-10-21 13:32:15 -04:00 · 2013-10-21 13:32:15 -04:00 · d9a16079a5
commit d9a16079a5
parent 7a5c3bfcd8
2 changed files with 12 additions and 67 deletions
--- a/app/assets/javascripts/defer/html-sanitizer-bundle.js
+++ b/app/assets/javascripts/defer/html-sanitizer-bundle.js
@ -409,7 +409,7 @@ URI.prototype.setPath = function (newPath) {
 URI.prototype.setRawPath = function (newPath) {
  if (newPath) {
    newPath = String(newPath);
-    this.path_ =
+    this.path_ = 
      // Paths must start with '/' unless this is a path-relative URL.
      (!this.domain_ || /^\//.test(newPath)) ? newPath : '/' + newPath;
  } else {
@ -745,7 +745,7 @@ if (typeof window !== 'undefined') {
 ;
 // Copyright Google Inc.
 // Licensed under the Apache Licence Version 2.0
-// Autogenerated at Fri Oct 11 16:16:32 EDT 2013
+// Autogenerated at Mon Oct 21 13:30:08 EDT 2013
 // @overrides window
 // @provides html4
 var html4 = {};
@ -986,33 +986,6 @@ html4.ATTRIBS = {
  'select::size': 0,
  'select::tabindex': 0,
  'source::type': 0,
-  'table::align': 0,
-  'table::bgcolor': 0,
-  'table::border': 0,
-  'table::cellpadding': 0,
-  'table::cellspacing': 0,
-  'table::frame': 0,
-  'table::rules': 0,
-  'table::summary': 0,
-  'table::width': 0,
-  'tbody::align': 0,
-  'tbody::char': 0,
-  'tbody::charoff': 0,
-  'tbody::valign': 0,
-  'td::abbr': 0,
-  'td::align': 0,
-  'td::axis': 0,
-  'td::bgcolor': 0,
-  'td::char': 0,
-  'td::charoff': 0,
-  'td::colspan': 0,
-  'td::headers': 6,
-  'td::height': 0,
-  'td::nowrap': 0,
-  'td::rowspan': 0,
-  'td::scope': 0,
-  'td::valign': 0,
-  'td::width': 0,
  'textarea::accesskey': 0,
  'textarea::autocomplete': 0,
  'textarea::cols': 0,
@ -1029,33 +1002,6 @@ html4.ATTRIBS = {
  'textarea::rows': 0,
  'textarea::tabindex': 0,
  'textarea::wrap': 0,
-  'tfoot::align': 0,
-  'tfoot::char': 0,
-  'tfoot::charoff': 0,
-  'tfoot::valign': 0,
-  'th::abbr': 0,
-  'th::align': 0,
-  'th::axis': 0,
-  'th::bgcolor': 0,
-  'th::char': 0,
-  'th::charoff': 0,
-  'th::colspan': 0,
-  'th::headers': 6,
-  'th::height': 0,
-  'th::nowrap': 0,
-  'th::rowspan': 0,
-  'th::scope': 0,
-  'th::valign': 0,
-  'th::width': 0,
-  'thead::align': 0,
-  'thead::char': 0,
-  'thead::charoff': 0,
-  'thead::valign': 0,
-  'tr::align': 0,
-  'tr::bgcolor': 0,
-  'tr::char': 0,
-  'tr::charoff': 0,
-  'tr::valign': 0,
  'track::default': 0,
  'track::kind': 0,
  'track::label': 0,
@ -1190,16 +1136,16 @@ html4.ELEMENTS = {
  'sub': 0,
  'summary': 0,
  'sup': 0,
-  'table': 0,
-  'tbody': 1,
-  'td': 1,
+  'table': 272,
+  'tbody': 273,
+  'td': 273,
  'textarea': 8,
  'tfoot': 1,
-  'th': 1,
-  'thead': 1,
+  'th': 273,
+  'thead': 273,
  'time': 0,
  'title': 280,
-  'tr': 1,
+  'tr': 273,
  'track': 2,
  'tt': 0,
  'u': 0,
@ -2357,11 +2303,9 @@ var html = (function(html4) {
            break;
        }
      } else {
-        if (!/^data\-/.test(attribName)) {
-          value = null;
-          if (opt_logger) {
-            log(opt_logger, tagName, attribName, oldValue, value);
-          }
+        value = null;
+        if (opt_logger) {
+          log(opt_logger, tagName, attribName, oldValue, value);
        }
      }
      attribs[i + 1] = value;
--- a/test/javascripts/components/markdown_test.js
+++ b/test/javascripts/components/markdown_test.js
@ -322,6 +322,7 @@ test("sanitize", function() {
         "<p><a href=\"http://disneyland.disney.go.com/\">disney</a> <a href=\"http://reddit.com\">reddit</a></p>",
         "we can embed proper links");

+  cooked("<table><tr><td>hello</td></tr></table>\nafter", "<p>after</p>", "it does not allow tables");
  cooked("<blockquote>a\n</blockquote>\n", "<blockquote>a\n\n<br/>\n\n</blockquote>", "it does not double sanitize");
 });