Introduces a standalone html sanitizer class (#37750).

Patch by Jens Krämer. git-svn-id: https://svn.redmine.org/redmine/trunk@21900 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-07 13:55:52 +01:00 · 2022-10-04 19:49:00 +00:00
parent a561d23bd4
commit 39151a89b6
2 changed files with 60 additions and 0 deletions
--- a/lib/redmine/wiki_formatting/html_sanitizer.rb
+++ b/lib/redmine/wiki_formatting/html_sanitizer.rb
@@ -0,0 +1,20 @@
+module Redmine
+  module WikiFormatting
+
+    # Combination of SanitizationFilter and ExternalLinksFilter
+    class HtmlSanitizer
+
+      Pipeline = HTML::Pipeline.new([
+        Redmine::WikiFormatting::CommonMark::SanitizationFilter,
+        Redmine::WikiFormatting::CommonMark::ExternalLinksFilter,
+      ], {})
+
+      def self.call(html)
+        result = Pipeline.call html
+        result[:output].to_s
+      end
+    end
+
+  end
+end
+
--- a/test/unit/lib/redmine/wiki_formatting/html_sanitizer_test.rb
+++ b/test/unit/lib/redmine/wiki_formatting/html_sanitizer_test.rb
@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+# Redmine - project management software
+# Copyright (C) 2006-2021  Jean-Philippe Lang
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+require File.expand_path('../../../../../test_helper', __FILE__)
+
+class Redmine::WikiFormatting::HtmlSanitizerTest < ActiveSupport::TestCase
+
+  def setup
+    @sanitizer = Redmine::WikiFormatting::HtmlSanitizer
+  end
+
+  def test_should_allow_links_with_safe_url_schemes_and_append_external_class
+    %w(http https ftp ssh foo).each do |scheme|
+      input = %(<a href="#{scheme}://example.org/">foo</a>)
+      assert_equal %(<a href="#{scheme}://example.org/" class="external">foo</a>), @sanitizer.call(input)
+    end
+  end
+
+  def test_should_reject_links_with_unsafe_url_schemes
+    input = %(<a href="javascript:alert('hello');">foo</a>)
+    assert_equal "<a>foo</a>", @sanitizer.call(input)
+  end
+end
+