Navigation

← Previous Changeset
Next Changeset →

Changeset 5766

Timestamp:

05/28/08 13:29:30 (2 years ago)

Author:

uta

Message:

2008/05/28 sync

Files:

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

plugins/rails_protection/trunk/rails_protection/lib/custom_sanitizer_rules/tiny_mce.rb

r5711	r5766
3	3	:class => /\A[-_a-zA-Z0-9]+\Z/mn,
4	4	:href => %r(\A(?:http\|https\|ftp)://\|\A/(?:images\|javascripts\|stylesheets))mn,
	5	:id => /\A[a-zA-Z][a-zA-Z0-9_:.-]*\Z/mn,
5	6	:name => /\A[-_a-zA-Z0-9]+\Z/mn,
6	7	:target => /\A_self\|_blank\z/mn,
7	8	:title => /.+/mn,
8	9	:type => /.+/mn,
9		~~:id => /.+/mn,~~
10	10	},
11	11	:b => {
…	…
28	28	:class => /\A[-_a-zA-Z0-9]+\Z/mn,
29	29	:style => {
	30	:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
30	31	:'border-style' => /\Adashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\Z/mn,
31	32	:'border-width' => /\A[0-9]+px\Z/mn,
…	…
37	38	:'overflow' => /\Aauto\|hidden\|scroll\|visible\Z/mn,
38	39	:'white-space' => /\Anormal\|nowrap\|pre\Z/mn,
39		:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
40	40	},
41	41	},
…	…
119	119	:height => /\A[1-4]?[0-9]?[0-9]\Z/mn,
120	120	:hspace => /\A[0-9]\Z/mn,
	121	:id => /\A[a-zA-Z][a-zA-Z0-9_:.-]*\Z/mn,
121	122	:src => %r(/stream/[0-9]+\z\|\.(?:gif\|jpe?g\|png)(?:\?[0-9]+)?\z)mn,
122	123	:title => /.+/mn,
123	124	:vspace => /\A[0-9]\Z/mn,
124	125	:width => /\A[1-6]?[0-9]?[0-9]\Z/mn,
125		~~:id => /.+/mn,~~
126	126	},
127	127	:li => {
…	…
203	203	:style => {
204	204	:'background-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
205		:'border-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
206		:'border-width' => /\A[0-9]px\Z/mn,
207		:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
	205	:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
	206	:'border-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
	207	:'border-width' => /\A[0-9]px\Z/mn,
	208	:'height' => /\A([1-4]?[0-9]?[0-9](px)?\|([1-9]?[0-9]\|100)%)\Z/mn,
	209	:'width' => /\A([1-6]?[0-9]?[0-9](px)?\|([1-9]?[0-9]\|100)%)\Z/mn,
208	210	},
209	211	:summary => /.+/mn,
…	…
222	224	:style => {
223	225	:'background-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
224		:'border~~-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))~~\Z/mn,
225		:'border-~~width' => /\A[0-9]px~~\Z/mn,
226		:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
	226	:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
	227	:'border-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
	228	:'border-width' => /\A[0-9]px\Z/mn,
227	229	},
228	230	:valign => /\Atop\|middle\|bottom\Z/mn,
…	…
241	243	:style => {
242	244	:'background-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
	245	:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
243	246	:'border-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
244	247	:'border-width' => /\A[0-9]px\Z/mn,
…	…
257	260	:style => {
258	261	:'background-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
	262	:'border' => /\A((dashed\|dotted\|double\|groove\|hidden\|inset\|none\|outset\|ridge\|solid\|[a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s\)\|[0-9]+px)\s){1,3}\Z/mn,
259	263	:'border-color' => /\A([a-z]{3,20}\|#[a-fA-F0-9]{3}\|#[a-fA-F0-9]{6}\|rgb\s\(\s[0-9]{3}\s,\s[0-9]{3}\s,\s[0-9]{3}\s*\))\Z/mn,
260	264	:'border-width' => /\A[0-9]px\Z/mn,

plugins/rails_protection/trunk/rails_protection/lib/rails_protection_for_csrf.rb

r4936	r5766
3	3	module ActionControllerMethods #:nodoc:
4	4	def protection_for_csrf
5		if ENV['RAILS_ENV'] != 'test' && request.method == :post && params[:rails_protection_session_id] != session.session_id
6		raise RailsProtection::Csrf::SessionValidateException
	5	unless ENV['RAILS_ENV'] == 'test'
	6	case request.method
	7	when :post, :put, :delete
	8	raise RailsProtection::Csrf::SessionValidateException unless params[:rails_protection_session_id] == session.session_id
	9	else
	10	Thread.current[:rails_protection_refuse_update] = true if session[:rails_protection_ignore_csrf_validation].blank?
	11	end
	12	session[:rails_protection_ignore_csrf_validation] = nil
7	13	end
8	14	end
…	…
59	65	end
60	66
	67	module ActiveRecordMethods #:nodoc:
	68	def validate_for_csrf
	69	raise RailsProtection::Csrf::SessionValidateException if Thread.current[:rails_protection_refuse_update] && self.ignore_csrf_validation.blank?
	70	end
	71	end
	72
61	73	class SessionValidateException < ::ActionController::ActionControllerError
62	74	end
…	…
64	76	end
65	77
	78	::ActionController::Base.class_eval do
	79	alias :rails_protection_redirect_to_original :redirect_to unless method_defined?(:rails_protection_redirect_to_original)
	80	def redirect_to(options = {}, *parameters_for_method_reference)
	81	case request.method
	82	when :post, :put, :delete
	83	session[:rails_protection_ignore_csrf_validation] = true
	84	end
	85	rails_protection_redirect_to_original(options, *parameters_for_method_reference)
	86	end
	87	end
66	88	::ActionController::Base.send(:include, RailsProtection::Csrf::ActionControllerMethods)
67	89	::ActionController::Base.class_eval do
…	…
73	95	end
74	96	::ActionView::Base.send(:include, RailsProtection::Csrf::ActionViewMethods)
	97
	98	::ActiveRecord::Base.send(:include, RailsProtection::Csrf::ActiveRecordMethods)
	99	::ActiveRecord::Base.class_eval do
	100	attr_accessor :ignore_csrf_validation
	101	before_destroy :validate_for_csrf
	102	before_save :validate_for_csrf
	103	end

Navigation

Changeset 5766

Legend:

plugins/rails_protection/trunk/rails_protection/lib/custom_sanitizer_rules/tiny_mce.rb

plugins/rails_protection/trunk/rails_protection/lib/rails_protection_for_csrf.rb

Download in other formats: