diff options
| author | Patrick J Cherry <patrick@bytemark.co.uk> | 2012-04-20 14:25:47 +0100 | 
|---|---|---|
| committer | Patrick J Cherry <patrick@bytemark.co.uk> | 2012-04-20 14:25:47 +0100 | 
| commit | 83860784c1d184dd6afa680aeff2e06d65f50b8d (patch) | |
| tree | 77be135d42162d690c502a0043988ec0a7225d9a /lib | |
| parent | 4c99233f3b3112cd2be5ab6fd5d6e7c1c344406b (diff) | |
Further tinkering involving when to Sanitize html -- now only done if the
attribute has been changed.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/mauve/alert.rb | 38 | 
1 files changed, 21 insertions, 17 deletions
| diff --git a/lib/mauve/alert.rb b/lib/mauve/alert.rb index 28079a2..f249913 100644 --- a/lib/mauve/alert.rb +++ b/lib/mauve/alert.rb @@ -297,6 +297,7 @@ module Mauve        attributes.each do |key, val|          next if html_permitted_in.include?(key) +        next unless attribute_dirty?(key)          next unless val.is_a?(String)          attribute_set(key, Alert.remove_html(val)) @@ -304,6 +305,7 @@ module Mauve        attributes.each do |key, val|          next unless html_permitted_in.include?(key) +        next unless attribute_dirty?(key)          next unless val.is_a?(String)          attribute_set(key, Alert.clean_html(val)) @@ -607,29 +609,31 @@ module Mauve      end      class << self -     -      # Removes HTML from a string + +      # Removes or cleans HTML from a string        # -      # @param [String] txt String to clean +      # +      # @param  [String] str   String to clean +      # @param  [Hash]   conf  Sanitize::Config thingy        # @return [String] -      def remove_html(txt) -        Sanitize.clean( -          txt.to_s, -          Sanitize::Config::DEFAULT -        ) +      def remove_html(str, conf = Sanitize::Config::DEFAULT) +        raise ArgumentError, "Expected a string, got a #{str.class}" unless str.is_a?(String) + +        if str =~ /<[^0-9 <&.-]/ +          Sanitize.clean( str, conf ) +        else +          str +        end        end        # Cleans HTML in a string, removing dangerous elements/contents.        # -      # @param [String] txt String to clean +      # @param  [String] str String to clean        # @return [String] -      def clean_html(txt) -        Sanitize.clean( -          txt.to_s, -         Sanitize::Config::RELAXED.merge({:remove_contents => true}) -        ) +      def clean_html(str) +        remove_html(str, Sanitize::Config::RELAXED.merge({:remove_contents => true}))        end -     +        # All alerts currently raised        #        # @return [Array] @@ -725,7 +729,7 @@ module Mauve          # Make sure there is no HTML in the update source.  Need to do this          # here because we use the html-free version in the database save hook.           # -        update.source = Alert.remove_html(update.source) +        update.source = Alert.remove_html(update.source.to_s)          # Update each alert supplied          # @@ -749,7 +753,7 @@ module Mauve            # because of the database save hook will clear it out, causing this            # search to fail.            # -          alert.id = Alert.remove_html(alert.id) +          alert.id = Alert.remove_html(alert.id.to_s)            alert_db = first(:alert_id => alert.id, :source => update.source) ||              new(:alert_id => alert.id, :source => update.source) | 
