0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-27 22:49:56 -05:00

Merge pull request #1864 from ErisDS/issue-1328

Disable xss santization
This commit is contained in:
Hannah Wolfe 2014-01-06 13:36:00 -08:00
commit bee874d03d
4 changed files with 24 additions and 18 deletions

View file

@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({
this.set('html', converter.makeHtml(this.get('markdown'))); this.set('html', converter.makeHtml(this.get('markdown')));
this.set('title', this.sanitize('title').trim()); // disabling sanitization until we can implement a better version
//this.set('title', this.sanitize('title').trim());
this.set('title', this.get('title').trim());
if (this.hasChanged('status') && this.get('status') === 'published') { if (this.hasChanged('status') && this.get('status') === 'published') {
if (!this.get('published_at')) { if (!this.get('published_at')) {

View file

@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({
saving: function () { saving: function () {
// All blog setting keys that need their values to be escaped. // disabling sanitization until we can implement a better version
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { // All blog setting keys that need their values to be escaped.
this.set('value', this.sanitize('value')); // if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
} // this.set('value', this.sanitize('value'));
// }
return ghostBookshelf.Model.prototype.saving.apply(this, arguments); return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
} }

View file

@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({
saving: function () { saving: function () {
this.set('name', this.sanitize('name')); // disabling sanitization until we can implement a better version
this.set('email', this.sanitize('email').toLocaleLowerCase()); // this.set('name', this.sanitize('name'));
this.set('location', this.sanitize('location')); // this.set('email', this.sanitize('email').toLocaleLowerCase());
this.set('website', this.sanitize('website')); // this.set('location', this.sanitize('location'));
this.set('bio', this.sanitize('bio')); // this.set('website', this.sanitize('website'));
// this.set('bio', this.sanitize('bio'));
this.set('email', this.get('email').toLocaleLowerCase());
return ghostBookshelf.Model.prototype.saving.apply(this, arguments); return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
}, },

View file

@ -377,12 +377,13 @@ describe('Post Model', function () {
}).then(null, done); }).then(null, done);
}); });
it('should sanitize the title', function (done) { // disabling sanitization until we can implement a better version
new PostModel().fetch().then(function (model) { // it('should sanitize the title', function (done) {
return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save(); // new PostModel().fetch().then(function (model) {
}).then(function (saved) { // return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]"); // }).then(function (saved) {
done(); // saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
}).otherwise(done); // done();
}); // }).otherwise(done);
// });
}); });