added sanitize, fixes #26: Clicking the wiki link withing comments gives a "page does not exist" error

2011-09-13 15:19:07 -04:00 · 2011-09-13 15:19:07 -04:00 · a19dd6a69f
commit a19dd6a69f
parent 6da2bbde0d
5 changed files with 25 additions and 17 deletions
--- a/1
+++ b/1
@ -27,6 +27,7 @@ gem "nokogiri"
 gem "meta_search", :git => "git://github.com/ernie/meta_search.git"
 gem "silent-postgres"
 gem "whenever", :require => false
+gem "sanitize", :git => "git://github.com/rgrove/sanitize.git"

 group :development do
  gem 'pry'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -8,6 +8,13 @@ GIT
      activesupport (~> 3.1.0)
      polyamorous (~> 0.5.0)

+GIT
+  remote: git://github.com/rgrove/sanitize.git
+  revision: afdfa8f7f4129820c573f94f79b99aed715a385d
+  specs:
+    sanitize (2.0.3)
+      nokogiri (< 1.6, >= 1.4.4)
+
 GIT
  remote: http://github.com/EmmanuelOga/ffaker.git
  revision: f94bcf502fcdd4ba5f29155a3df1811af2663950
@ -179,6 +186,7 @@ DEPENDENCIES
  pg
  pry
  rails (= 3.1.0)
+  sanitize!
  shoulda
  silent-postgres
  simple_form
--- a/app/logical/d_text.rb
+++ b/app/logical/d_text.rb
@ -11,11 +11,6 @@ class DText
  end
  
  def self.parse_inline(str, options = {})
-    str = parse_aliased_wiki_links(str)
-    str = parse_wiki_links(str)
-    str = parse_post_links(str)
-    str = parse_id_links(str)
-    
    str.gsub!(/\n/m, "<br>")
    str.gsub!(/\[b\](.+?)\[\/b\]/i, '<strong>\1</strong>')
    str.gsub!(/\[i\](.+?)\[\/i\]/i, '<em>\1</em>')
@ -26,6 +21,10 @@ class DText
    str.gsub!(/\[url=(.+?)\](.+?)\[\/url\]/m) do
      %{<a href="#{u($1)}">#{h($2)}</a>}
    end
+    str = parse_aliased_wiki_links(str)
+    str = parse_wiki_links(str)
+    str = parse_post_links(str)
+    str = parse_id_links(str)
    str
  end
  
@ -36,9 +35,9 @@ class DText
      wiki_page = WikiPage.find_title_and_id(title)
      
      if wiki_page
-        %{[url=/wiki_pages/#{wiki_page.id}]#{text}[/url]}
+        %{<a href="/wiki_pages/#{wiki_page.id}">#{text}</a>}
      else
-        %{[url=/wiki_pages/new?title=#{title}]#{text}[/url]}
+        %{<a href="/wiki_pages/new?title=#{title}">#{text}</url>}
      end
    end
  end
@ -49,22 +48,22 @@ class DText
      wiki_page = WikiPage.find_title_and_id(title)
      
      if wiki_page
-        %{[url=/wiki_pages/#{wiki_page.id}]#{title}[/url]}
+        %{<a href="/wiki_pages/#{wiki_page.id}">#{title}</a>}
      else
-        %{[url=/wiki_pages/new?title=#{title}]#{title}[/url]}
+        %{<a href="/wiki_pages/new?wiki_page[title]=#{title}">#{title}</a>}
      end
    end
  end
  
  def self.parse_post_links(str)
-    str.gsub(/\{\{(.+?)\}\}/, %{[url=/posts?tags=\1]\1[/url]})
+    str.gsub(/\{\{(.+?)\}\}/, %{<a href="/posts?tags=\\1">\\1</a>})
  end
  
  def self.parse_id_links(str)
-    str = str.gsub(/\bpost #(\d+)/i, %{[url=/posts/\1]post #\1[/url]})
-    str = str.gsub(/\bforum #(\d+)/i, %{[url=/forum_posts/\1]forum #\1[/url]})
-    str = str.gsub(/\bcomment #(\d+)/i, %{[url=/comments/\1]comment #\1[/url]})
-    str = str.gsub(/\bpool #(\d+)/i, %{[url=/pools/\1]pool #\1[/url]})
+    str = str.gsub(/\bpost #(\d+)/i, %{<a href="/posts/\\1">post #\\1</a>})
+    str = str.gsub(/\bforum #(\d+)/i, %{<a href="/forum_posts/\\1">forum #\\1</a>})
+    str = str.gsub(/\bcomment #(\d+)/i, %{<a href="/comments/\\1">comment #\\1</a>})
+    str = str.gsub(/\bpool #(\d+)/i, %{<a href="/pools/\\1">pool #\\1</a>})
  end
  
  def self.parse_list(str, options = {})
@ -151,7 +150,7 @@ class DText
      end
    end

-    html.join("").html_safe
+    Sanitize.clean(html.join(""), Sanitize::Config::BASIC).html_safe
  end
 end

--- a/app/views/notes/_note.html.erb
+++ b/app/views/notes/_note.html.erb
@ -1 +1 @@
-<%= content_tag(:article, raw(note.body), "data-width" => note.width, "data-height" => note.height, "data-x" => note.x, "data-y" => note.y, "data-id" => note.id) %>
+<%= content_tag(:article, raw(Sanitize.clean(note.body)), "data-width" => note.width, "data-height" => note.height, "data-x" => note.x, "data-y" => note.y, "data-id" => note.id) %>
--- a/app/views/posts/show.html.erb
+++ b/app/views/posts/show.html.erb
@ -50,7 +50,7 @@
      </menu>

      <section id="comments">
-        <%= render "comments/partials/index/list", :comments => @post.comments, :post => @post, :show_header => false %>
+        <%= render "comments/partials/index/list", :comments => @post.comments.reverse, :post => @post, :show_header => false %>
      </section>

      <section id="notes">