From d9a16079a5a0a686c215ed7565c45d1a72166b89 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Mon, 21 Oct 2013 13:32:15 -0400 Subject: [PATCH] FIX: Do not allow users to create tables --- .../defer/html-sanitizer-bundle.js | 78 +++---------------- test/javascripts/components/markdown_test.js | 1 + 2 files changed, 12 insertions(+), 67 deletions(-) diff --git a/app/assets/javascripts/defer/html-sanitizer-bundle.js b/app/assets/javascripts/defer/html-sanitizer-bundle.js index ccdebf3a9..146fad1cf 100644 --- a/app/assets/javascripts/defer/html-sanitizer-bundle.js +++ b/app/assets/javascripts/defer/html-sanitizer-bundle.js @@ -409,7 +409,7 @@ URI.prototype.setPath = function (newPath) { URI.prototype.setRawPath = function (newPath) { if (newPath) { newPath = String(newPath); - this.path_ = + this.path_ = // Paths must start with '/' unless this is a path-relative URL. (!this.domain_ || /^\//.test(newPath)) ? newPath : '/' + newPath; } else { @@ -745,7 +745,7 @@ if (typeof window !== 'undefined') { ; // Copyright Google Inc. // Licensed under the Apache Licence Version 2.0 -// Autogenerated at Fri Oct 11 16:16:32 EDT 2013 +// Autogenerated at Mon Oct 21 13:30:08 EDT 2013 // @overrides window // @provides html4 var html4 = {}; @@ -986,33 +986,6 @@ html4.ATTRIBS = { 'select::size': 0, 'select::tabindex': 0, 'source::type': 0, - 'table::align': 0, - 'table::bgcolor': 0, - 'table::border': 0, - 'table::cellpadding': 0, - 'table::cellspacing': 0, - 'table::frame': 0, - 'table::rules': 0, - 'table::summary': 0, - 'table::width': 0, - 'tbody::align': 0, - 'tbody::char': 0, - 'tbody::charoff': 0, - 'tbody::valign': 0, - 'td::abbr': 0, - 'td::align': 0, - 'td::axis': 0, - 'td::bgcolor': 0, - 'td::char': 0, - 'td::charoff': 0, - 'td::colspan': 0, - 'td::headers': 6, - 'td::height': 0, - 'td::nowrap': 0, - 'td::rowspan': 0, - 'td::scope': 0, - 'td::valign': 0, - 'td::width': 0, 'textarea::accesskey': 0, 'textarea::autocomplete': 0, 'textarea::cols': 0, @@ -1029,33 +1002,6 @@ html4.ATTRIBS = { 'textarea::rows': 0, 'textarea::tabindex': 0, 'textarea::wrap': 0, - 'tfoot::align': 0, - 'tfoot::char': 0, - 'tfoot::charoff': 0, - 'tfoot::valign': 0, - 'th::abbr': 0, - 'th::align': 0, - 'th::axis': 0, - 'th::bgcolor': 0, - 'th::char': 0, - 'th::charoff': 0, - 'th::colspan': 0, - 'th::headers': 6, - 'th::height': 0, - 'th::nowrap': 0, - 'th::rowspan': 0, - 'th::scope': 0, - 'th::valign': 0, - 'th::width': 0, - 'thead::align': 0, - 'thead::char': 0, - 'thead::charoff': 0, - 'thead::valign': 0, - 'tr::align': 0, - 'tr::bgcolor': 0, - 'tr::char': 0, - 'tr::charoff': 0, - 'tr::valign': 0, 'track::default': 0, 'track::kind': 0, 'track::label': 0, @@ -1190,16 +1136,16 @@ html4.ELEMENTS = { 'sub': 0, 'summary': 0, 'sup': 0, - 'table': 0, - 'tbody': 1, - 'td': 1, + 'table': 272, + 'tbody': 273, + 'td': 273, 'textarea': 8, 'tfoot': 1, - 'th': 1, - 'thead': 1, + 'th': 273, + 'thead': 273, 'time': 0, 'title': 280, - 'tr': 1, + 'tr': 273, 'track': 2, 'tt': 0, 'u': 0, @@ -2357,11 +2303,9 @@ var html = (function(html4) { break; } } else { - if (!/^data\-/.test(attribName)) { - value = null; - if (opt_logger) { - log(opt_logger, tagName, attribName, oldValue, value); - } + value = null; + if (opt_logger) { + log(opt_logger, tagName, attribName, oldValue, value); } } attribs[i + 1] = value; diff --git a/test/javascripts/components/markdown_test.js b/test/javascripts/components/markdown_test.js index ad6d5edd1..b5620883e 100644 --- a/test/javascripts/components/markdown_test.js +++ b/test/javascripts/components/markdown_test.js @@ -322,6 +322,7 @@ test("sanitize", function() { "

disney reddit

", "we can embed proper links"); + cooked("
hello
\nafter", "

after

", "it does not allow tables"); cooked("
a\n
\n", "
a\n\n
\n\n
", "it does not double sanitize"); });