mirror of
https://github.com/TryGhost/Ghost.git
synced 2025-01-13 22:41:32 -05:00
Merge pull request #1864 from ErisDS/issue-1328
Disable xss santization
This commit is contained in:
commit
bee874d03d
4 changed files with 24 additions and 18 deletions
|
@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({
|
|||
|
||||
this.set('html', converter.makeHtml(this.get('markdown')));
|
||||
|
||||
this.set('title', this.sanitize('title').trim());
|
||||
// disabling sanitization until we can implement a better version
|
||||
//this.set('title', this.sanitize('title').trim());
|
||||
this.set('title', this.get('title').trim());
|
||||
|
||||
if (this.hasChanged('status') && this.get('status') === 'published') {
|
||||
if (!this.get('published_at')) {
|
||||
|
|
|
@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({
|
|||
|
||||
saving: function () {
|
||||
|
||||
// All blog setting keys that need their values to be escaped.
|
||||
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
|
||||
this.set('value', this.sanitize('value'));
|
||||
}
|
||||
// disabling sanitization until we can implement a better version
|
||||
// All blog setting keys that need their values to be escaped.
|
||||
// if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
|
||||
// this.set('value', this.sanitize('value'));
|
||||
// }
|
||||
|
||||
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
|
||||
}
|
||||
|
|
|
@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({
|
|||
|
||||
saving: function () {
|
||||
|
||||
this.set('name', this.sanitize('name'));
|
||||
this.set('email', this.sanitize('email').toLocaleLowerCase());
|
||||
this.set('location', this.sanitize('location'));
|
||||
this.set('website', this.sanitize('website'));
|
||||
this.set('bio', this.sanitize('bio'));
|
||||
// disabling sanitization until we can implement a better version
|
||||
// this.set('name', this.sanitize('name'));
|
||||
// this.set('email', this.sanitize('email').toLocaleLowerCase());
|
||||
// this.set('location', this.sanitize('location'));
|
||||
// this.set('website', this.sanitize('website'));
|
||||
// this.set('bio', this.sanitize('bio'));
|
||||
this.set('email', this.get('email').toLocaleLowerCase());
|
||||
|
||||
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
|
||||
},
|
||||
|
|
|
@ -377,12 +377,13 @@ describe('Post Model', function () {
|
|||
}).then(null, done);
|
||||
});
|
||||
|
||||
it('should sanitize the title', function (done) {
|
||||
new PostModel().fetch().then(function (model) {
|
||||
return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
|
||||
}).then(function (saved) {
|
||||
saved.get('title').should.eql("</title></head><body>[removed]alert('blogtitle');[removed]");
|
||||
done();
|
||||
}).otherwise(done);
|
||||
});
|
||||
// disabling sanitization until we can implement a better version
|
||||
// it('should sanitize the title', function (done) {
|
||||
// new PostModel().fetch().then(function (model) {
|
||||
// return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
|
||||
// }).then(function (saved) {
|
||||
// saved.get('title').should.eql("</title></head><body>[removed]alert('blogtitle');[removed]");
|
||||
// done();
|
||||
// }).otherwise(done);
|
||||
// });
|
||||
});
|
||||
|
|
Loading…
Reference in a new issue