From 3f9b0fa618183425c2c727a1606bc2b34cc79be8 Mon Sep 17 00:00:00 2001 From: Hannah Wolfe Date: Mon, 6 Jan 2014 20:17:20 +0000 Subject: [PATCH] Disable xss santization issue #1378 fixes #1328 - xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions. --- core/server/models/post.js | 4 +++- core/server/models/settings.js | 9 +++++---- core/server/models/user.js | 12 +++++++----- core/test/integration/model/model_posts_spec.js | 17 +++++++++-------- 4 files changed, 24 insertions(+), 18 deletions(-) diff --git a/core/server/models/post.js b/core/server/models/post.js index d4dd4af09e..394e8fc807 100644 --- a/core/server/models/post.js +++ b/core/server/models/post.js @@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({ this.set('html', converter.makeHtml(this.get('markdown'))); - this.set('title', this.sanitize('title').trim()); + // disabling sanitization until we can implement a better version + //this.set('title', this.sanitize('title').trim()); + this.set('title', this.get('title').trim()); if (this.hasChanged('status') && this.get('status') === 'published') { if (!this.get('published_at')) { diff --git a/core/server/models/settings.js b/core/server/models/settings.js index 92b4b425b4..8c0e89f230 100644 --- a/core/server/models/settings.js +++ b/core/server/models/settings.js @@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({ saving: function () { - // All blog setting keys that need their values to be escaped. - if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { - this.set('value', this.sanitize('value')); - } + // disabling sanitization until we can implement a better version + // All blog setting keys that need their values to be escaped. + // if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { + // this.set('value', this.sanitize('value')); + // } return ghostBookshelf.Model.prototype.saving.apply(this, arguments); } diff --git a/core/server/models/user.js b/core/server/models/user.js index d1c317c91d..8c45de05d6 100644 --- a/core/server/models/user.js +++ b/core/server/models/user.js @@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({ saving: function () { - this.set('name', this.sanitize('name')); - this.set('email', this.sanitize('email').toLocaleLowerCase()); - this.set('location', this.sanitize('location')); - this.set('website', this.sanitize('website')); - this.set('bio', this.sanitize('bio')); + // disabling sanitization until we can implement a better version + // this.set('name', this.sanitize('name')); + // this.set('email', this.sanitize('email').toLocaleLowerCase()); + // this.set('location', this.sanitize('location')); + // this.set('website', this.sanitize('website')); + // this.set('bio', this.sanitize('bio')); + this.set('email', this.get('email').toLocaleLowerCase()); return ghostBookshelf.Model.prototype.saving.apply(this, arguments); }, diff --git a/core/test/integration/model/model_posts_spec.js b/core/test/integration/model/model_posts_spec.js index f926cb6ab2..a635224a75 100644 --- a/core/test/integration/model/model_posts_spec.js +++ b/core/test/integration/model/model_posts_spec.js @@ -377,12 +377,13 @@ describe('Post Model', function () { }).then(null, done); }); - it('should sanitize the title', function (done) { - new PostModel().fetch().then(function (model) { - return model.set({'title': ""}).save(); - }).then(function (saved) { - saved.get('title').should.eql("</title></head><body>[removed]alert('blogtitle');[removed]"); - done(); - }).otherwise(done); - }); + // disabling sanitization until we can implement a better version + // it('should sanitize the title', function (done) { + // new PostModel().fetch().then(function (model) { + // return model.set({'title': ""}).save(); + // }).then(function (saved) { + // saved.get('title').should.eql("</title></head><body>[removed]alert('blogtitle');[removed]"); + // done(); + // }).otherwise(done); + // }); });