TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-11-23 22:11:09 +03:00
Code Issues Projects Releases Wiki Activity

Disable xss santization

Browse Source 
issue #1378
fixes #1328

- xss santization does some odd things. This isn't needed until we have multi-user support, and we are investigating better solutions.
This commit is contained in:
Hannah Wolfe 2014-01-06 20:17:20 +00:00
parent 31db4dc75e
commit 3f9b0fa618
4 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/server/models/post.js
View File

@ -51,7 +51,9 @@ Post = ghostBookshelf.Model.extend({
this.set('html', converter.makeHtml(this.get('markdown')));
this.set('title', this.sanitize('title').trim());
// disabling sanitization until we can implement a better version
//this.set('title', this.sanitize('title').trim());
this.set('title', this.get('title').trim());
if (this.hasChanged('status') && this.get('status') === 'published') {
if (!this.get('published_at')) {

9
core/server/models/settings.js
View File

@ -78,10 +78,11 @@ Settings = ghostBookshelf.Model.extend({
saving: function () {
// All blog setting keys that need their values to be escaped.
if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
this.set('value', this.sanitize('value'));
}
// disabling sanitization until we can implement a better version
// All blog setting keys that need their values to be escaped.
// if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) {
// this.set('value', this.sanitize('value'));
// }
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
}

12
core/server/models/user.js
View File

@ -67,11 +67,13 @@ User = ghostBookshelf.Model.extend({
saving: function () {
this.set('name', this.sanitize('name'));
this.set('email', this.sanitize('email').toLocaleLowerCase());
this.set('location', this.sanitize('location'));
this.set('website', this.sanitize('website'));
this.set('bio', this.sanitize('bio'));
// disabling sanitization until we can implement a better version
// this.set('name', this.sanitize('name'));
// this.set('email', this.sanitize('email').toLocaleLowerCase());
// this.set('location', this.sanitize('location'));
// this.set('website', this.sanitize('website'));
// this.set('bio', this.sanitize('bio'));
this.set('email', this.get('email').toLocaleLowerCase());
return ghostBookshelf.Model.prototype.saving.apply(this, arguments);
},

17
core/test/integration/model/model_posts_spec.js
View File

@ -377,12 +377,13 @@ describe('Post Model', function () {
}).then(null, done);
});
it('should sanitize the title', function (done) {
new PostModel().fetch().then(function (model) {
return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
}).then(function (saved) {
saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
done();
}).otherwise(done);
});
// disabling sanitization until we can implement a better version
// it('should sanitize the title', function (done) {
// new PostModel().fetch().then(function (model) {
// return model.set({'title': "</title></head><body><script>alert('blogtitle');</script>"}).save();
// }).then(function (saved) {
// saved.get('title').should.eql("&lt;/title&gt;&lt;/head>&lt;body&gt;[removed]alert&#40;'blogtitle'&#41;;[removed]");
// done();
// }).otherwise(done);
// });
});