Disable xss santization

issue #1378 fixes #1328 - xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions.
2024-11-23 22:11:09 +03:00 · 2014-01-06 20:17:20 +00:00 · 2014-01-06 20:17:20 +00:00 · 3f9b0fa618
commit 3f9b0fa618
parent 31db4dc75e
4 changed files with 24 additions and 18 deletions
--- a/core/server/models/post.js
+++ b/core/server/models/post.js
@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({
        this.set('html', converter.makeHtml(this.get('markdown')));
-        this.set('title', this.sanitize('title').trim());
+        // disabling sanitization until we can implement a better version
        //this.set('title', this.sanitize('title').trim());
        this.set('title', this.get('title').trim());
        if (this.hasChanged('status') && this.get('status') === 'published') {
            if (!this.get('published_at')) {
--- a/core/server/models/settings.js
+++ b/core/server/models/settings.js
@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({
    saving: function () {
-        // All blog setting keys that need their values to be escaped.
+         // disabling sanitization until we can implement a better version
-        if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
+         // All blog setting keys that need their values to be escaped.
-            this.set('value', this.sanitize('value'));
+         // if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
-        }
+         //    this.set('value', this.sanitize('value'));
         // }
        return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
    }
--- a/core/server/models/user.js
+++ b/core/server/models/user.js
@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({
    saving: function () {
-        this.set('name', this.sanitize('name'));
+        // disabling sanitization until we can implement a better version
-        this.set('email', this.sanitize('email').toLocaleLowerCase());
+        // this.set('name', this.sanitize('name'));
-        this.set('location', this.sanitize('location'));
+        // this.set('email', this.sanitize('email').toLocaleLowerCase());
-        this.set('website', this.sanitize('website'));
+        // this.set('location', this.sanitize('location'));
-        this.set('bio', this.sanitize('bio'));
+        // this.set('website', this.sanitize('website'));
        // this.set('bio', this.sanitize('bio'));
        this.set('email', this.get('email').toLocaleLowerCase());
        return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
    },
--- a/core/test/integration/model/model_posts_spec.js
+++ b/core/test/integration/model/model_posts_spec.js
@ -377,12 +377,13 @@ describe('Post Model', function () {
        }).then(null, done);
    });
-    it('should sanitize the title', function (done) {
+    // disabling sanitization until we can implement a better version
-        new PostModel().fetch().then(function (model) {
+    // it('should sanitize the title', function (done) {
-            return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
+    //    new PostModel().fetch().then(function (model) {
-        }).then(function (saved) {
+    //        return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
-                saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
+    //    }).then(function (saved) {
-                done();
+    //        saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
-            }).otherwise(done);
+    //        done();
-    });
+    //    }).otherwise(done);
    // });
 });