0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-13 22:41:32 -05:00

Merge pull request #1864 from ErisDS/issue-1328

Disable xss santization
This commit is contained in:
Hannah Wolfe 2014-01-06 13:36:00 -08:00
commit bee874d03d
4 changed files with 24 additions and 18 deletions

View file

@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({
this.set('html', converter.makeHtml(this.get('markdown')));
this.set('title', this.sanitize('title').trim());
// disabling sanitization until we can implement a better version
//this.set('title', this.sanitize('title').trim());
this.set('title', this.get('title').trim());
if (this.hasChanged('status') && this.get('status') === 'published') {
if (!this.get('published_at')) {

View file

@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({
saving: function () {
// All blog setting keys that need their values to be escaped.
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
this.set('value', this.sanitize('value'));
}
// disabling sanitization until we can implement a better version
// All blog setting keys that need their values to be escaped.
// if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
// this.set('value', this.sanitize('value'));
// }
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
}

View file

@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({
saving: function () {
this.set('name', this.sanitize('name'));
this.set('email', this.sanitize('email').toLocaleLowerCase());
this.set('location', this.sanitize('location'));
this.set('website', this.sanitize('website'));
this.set('bio', this.sanitize('bio'));
// disabling sanitization until we can implement a better version
// this.set('name', this.sanitize('name'));
// this.set('email', this.sanitize('email').toLocaleLowerCase());
// this.set('location', this.sanitize('location'));
// this.set('website', this.sanitize('website'));
// this.set('bio', this.sanitize('bio'));
this.set('email', this.get('email').toLocaleLowerCase());
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
},

View file

@ -377,12 +377,13 @@ describe('Post Model', function () {
}).then(null, done);
});
it('should sanitize the title', function (done) {
new PostModel().fetch().then(function (model) {
return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
}).then(function (saved) {
saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
done();
}).otherwise(done);
});
// disabling sanitization until we can implement a better version
// it('should sanitize the title', function (done) {
// new PostModel().fetch().then(function (model) {
// return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
// }).then(function (saved) {
// saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
// done();
// }).otherwise(done);
// });
});