From 5f7685d5fde79a76b86514da4f3646b957eb4bf2 Mon Sep 17 00:00:00 2001
From: Tom Preston-Werner <tom@mojombo.com>
Date: Thu, 8 Jul 2010 18:05:20 -0700
Subject: [PATCH] Sanitize HTML output.

---
 gollum.gemspec       |  1 +
 lib/gollum.rb        | 42 +++++++++++++++++++++++++++++++++++++++++-
 lib/gollum/markup.rb | 17 +++++++----------
 test/test_markup.rb  | 40 ++++++++++++++++++++--------------------
 4 files changed, 69 insertions(+), 31 deletions(-)

diff --git a/gollum.gemspec b/gollum.gemspec
index 2071a8fa..08022da7 100644
--- a/gollum.gemspec
+++ b/gollum.gemspec
@@ -28,6 +28,7 @@ Gem::Specification.new do |s|
   s.add_dependency('albino', "~> 1.0.0")
   s.add_dependency('sinatra', "~> 1.0.0")
   s.add_dependency('mustache', [">= 0.11.2", "< 1.0.0"])
+  s.add_dependency('sanitize', "~> 1.0.0")
 
   s.add_development_dependency('shoulda')
   s.add_development_dependency('mocha')
diff --git a/lib/gollum.rb b/lib/gollum.rb
index 77064832..390b778e 100644
--- a/lib/gollum.rb
+++ b/lib/gollum.rb
@@ -1,6 +1,7 @@
 # external
 require 'grit'
 require 'github/markup'
+require 'sanitize'
 
 # internal
 require 'gollum/pagination'
@@ -12,4 +13,43 @@ require 'gollum/albino'
 
 module Gollum
   VERSION = '0.0.1'
-end
\ No newline at end of file
+
+  SANITIZATION_OPTIONS = {
+    :elements => [
+      'a', 'abbr', 'acronym', 'address', 'area', 'b', 'big',
+      'blockquote', 'br', 'button', 'caption', 'center', 'cite',
+      'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir',
+      'div', 'dl', 'dt', 'em', 'fieldset', 'font', 'form', 'h1',
+      'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'input',
+      'ins', 'kbd', 'label', 'legend', 'li', 'map', 'menu',
+      'ol', 'optgroup', 'option', 'p', 'pre', 'q', 's', 'samp',
+      'select', 'small', 'span', 'strike', 'strong', 'sub',
+      'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th',
+      'thead', 'tr', 'tt', 'u', 'ul', 'var'
+    ],
+    :attributes => {
+      :all => ['abbr', 'accept', 'accept-charset',
+               'accesskey', 'action', 'align', 'alt', 'axis',
+               'border', 'cellpadding', 'cellspacing', 'char',
+               'charoff', 'charset', 'checked', 'cite',
+               'class', 'clear', 'cols', 'colspan', 'color',
+               'compact', 'coords', 'datetime', 'dir',
+               'disabled', 'enctype', 'for', 'frame',
+               'headers', 'height', 'href', 'hreflang',
+               'hspace', 'id', 'ismap', 'label', 'lang',
+               'longdesc', 'maxlength', 'media', 'method',
+               'multiple', 'name', 'nohref', 'noshade',
+               'nowrap', 'prompt', 'readonly', 'rel', 'rev',
+               'rows', 'rowspan', 'rules', 'scope',
+               'selected', 'shape', 'size', 'span', 'src',
+               'start', 'summary', 'tabindex', 'target',
+               'title', 'type', 'usemap', 'valign', 'value',
+               'vspace', 'width']
+    },
+    :protocols => {
+      'a' => {'href' => ['http', 'https', 'mailto', :relative]},
+      'img' => {'href' => ['http', 'https', :relative]}
+    }
+  }
+end
+
diff --git a/lib/gollum/markup.rb b/lib/gollum/markup.rb
index ba2f73d8..d258c8c5 100644
--- a/lib/gollum/markup.rb
+++ b/lib/gollum/markup.rb
@@ -27,6 +27,9 @@ module Gollum
       data = GitHub::Markup.render(@name, data) rescue ''
       data = process_tags(data)
       data = process_code(data)
+      data = Sanitize.clean(data, SANITIZATION_OPTIONS)
+      data = data.gsub(/<p><\/p>/, '')
+      data
     end
 
     #########################################################################
@@ -100,7 +103,6 @@ module Gollum
 
         classes = [] # applied to whatever the outermost container is
         attrs = []   # applied to the image
-        styles = []  # applied to the image
 
         align = opts['align']
         if opts['float']
@@ -120,13 +122,13 @@ module Gollum
 
         if width = opts['width']
           if width =~ /^\d+(\.\d+)?(em|px)$/
-            styles << "max-width: #{width};"
+            attrs << %{width="#{width}"}
           end
         end
 
         if height = opts['height']
           if height =~ /^\d+(\.\d+)?(em|px)$/
-            styles << "max-height: #{height};"
+            attrs << %{height="#{height}"}
           end
         end
 
@@ -136,21 +138,16 @@ module Gollum
 
         attr_string = attrs.size > 0 ? attrs.join(' ') + ' ' : ''
 
-        style_string = ''
-        unless styles.empty?
-          style_string = %{ style="#{styles.join(' ')}"}
-        end
-
         if opts['frame'] || containered
           classes << 'frame' if opts['frame']
           %{<span class="#{classes.join(' ')}">} +
           %{<span>} +
-          %{<img src="/#{file.path}"#{style_string} #{attr_string}/>} +
+          %{<img src="/#{file.path}" #{attr_string}/>} +
           (alt ? %{<span>#{alt}</span>} : '') +
           %{</span>} +
           %{</span>}
         else
-          %{<img src="#{path}"#{style_string} #{attr_string}/>}
+          %{<img src="#{path}" #{attr_string}/>}
         end
       end
     end
diff --git a/test/test_markup.rb b/test/test_markup.rb
index 41b00e30..316668c4 100644
--- a/test/test_markup.rb
+++ b/test/test_markup.rb
@@ -21,7 +21,7 @@ context "Markup" do
 
     page = @wiki.page("Bilbo Baggins")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <a class="internal present" href="Bilbo-Baggins">Bilbo Baggins</a> b</p>\n}, output
+    assert_equal %{<p>a <a class="internal present" href="Bilbo-Baggins">Bilbo Baggins</a> b</p>}, output
   end
 
   test "absent page link" do
@@ -29,7 +29,7 @@ context "Markup" do
 
     page = @wiki.page("Tolkien")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <a class="internal absent" href="J.-R.-R.-Tolkien">J. R. R. Tolkien</a>'s b</p>\n}, output
+    assert_equal %{<p>a <a class="internal absent" href="J.-R.-R.-Tolkien">J. R. R. Tolkien</a>'s b</p>}, output
   end
 
   test "image with http url" do
@@ -38,7 +38,7 @@ context "Markup" do
 
       page = @wiki.page("Bilbo Baggins")
       output = Gollum::Markup.new(page).render
-      assert_equal %{<p>a <img src="#{scheme}://example.com/bilbo.jpg" /> b</p>\n}, output
+      assert_equal %{<p>a <img src="#{scheme}://example.com/bilbo.jpg" /> b</p>}, output
     end
   end
 
@@ -50,7 +50,7 @@ context "Markup" do
 
     page = @wiki.page("Bilbo Baggins")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <img src="/alpha.jpg" /> b</p>\n}, output
+    assert_equal %{<p>a <img src="/alpha.jpg" /> b</p>}, output
   end
 
   test "image with relative path" do
@@ -61,12 +61,12 @@ context "Markup" do
 
     page = @wiki.page("Bilbo Baggins")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <img src="/greek/alpha.jpg" /> b</p>\n}, output
+    assert_equal %{<p>a <img src="/greek/alpha.jpg" /> b</p>}, output
   end
 
   test "image with alt" do
     content = "a [[alpha.jpg|alt=Alpha Dog]] b"
-    output = %{<p>a <img src="/greek/alpha.jpg" alt="Alpha Dog" /> b</p>\n}
+    output = %{<p>a <img src="/greek/alpha.jpg" alt="Alpha Dog" /> b</p>}
     relative_image(content, output)
   end
 
@@ -74,7 +74,7 @@ context "Markup" do
     %w{em px}.each do |unit|
       %w{width height}.each do |dim|
         content = "a [[alpha.jpg|#{dim}=100#{unit}]] b"
-        output = "<p>a <img src=\"/greek/alpha.jpg\" style=\"max-#{dim}: 100#{unit};\" /> b</p>\n"
+        output = "<p>a <img src=\"/greek/alpha.jpg\" #{dim}=\"100#{unit}\" /> b</p>"
         relative_image(content, output)
       end
     end
@@ -83,7 +83,7 @@ context "Markup" do
   test "image with bogus dimension" do
     %w{width height}.each do |dim|
       content = "a [[alpha.jpg|#{dim}=100]] b"
-      output = "<p>a <img src=\"/greek/alpha.jpg\" /> b</p>\n"
+      output = "<p>a <img src=\"/greek/alpha.jpg\" /> b</p>"
       relative_image(content, output)
     end
   end
@@ -91,7 +91,7 @@ context "Markup" do
   test "image with vertical align" do
     %w{top texttop middle absmiddle bottom absbottom baseline}.each do |align|
       content = "a [[alpha.jpg|align=#{align}]] b"
-      output = "<p>a <img src=\"/greek/alpha.jpg\" align=\"#{align}\" /> b</p>\n"
+      output = "<p>a <img src=\"/greek/alpha.jpg\" align=\"#{align}\" /> b</p>"
       relative_image(content, output)
     end
   end
@@ -99,34 +99,34 @@ context "Markup" do
   test "image with horizontal align" do
     %w{left center right}.each do |align|
       content = "a [[alpha.jpg|align=#{align}]] b"
-      output = "<p>a <span class=\"align-#{align}\"><span><img src=\"/greek/alpha.jpg\" /></span></span> b</p>\n"
+      output = "<p>a <span class=\"align-#{align}\"><span><img src=\"/greek/alpha.jpg\" /></span></span> b</p>"
       relative_image(content, output)
     end
   end
 
   test "image with float" do
     content = "a\n\n[[alpha.jpg|float]]\n\nb"
-    output = "<p>a</p>\n\n<p><span class=\"float-left\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>\n"
+    output = "<p>a</p>\n\n<p><span class=\"float-left\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>"
     relative_image(content, output)
   end
 
   test "image with float and align" do
     %w{left right}.each do |align|
       content = "a\n\n[[alpha.jpg|float|align=#{align}]]\n\nb"
-      output = "<p>a</p>\n\n<p><span class=\"float-#{align}\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>\n"
+      output = "<p>a</p>\n\n<p><span class=\"float-#{align}\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>"
       relative_image(content, output)
     end
   end
 
   test "image with frame" do
     content = "a\n\n[[alpha.jpg|frame]]\n\nb"
-    output = "<p>a</p>\n\n<p><span class=\"frame\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>\n"
+    output = "<p>a</p>\n\n<p><span class=\"frame\"><span><img src=\"/greek/alpha.jpg\" /></span></span></p>\n\n<p>b</p>"
     relative_image(content, output)
   end
 
   test "image with frame and alt" do
     content = "a\n\n[[alpha.jpg|frame|alt=Alpha]]\n\nb"
-    output = "<p>a</p>\n\n<p><span class=\"frame\"><span><img src=\"/greek/alpha.jpg\" alt=\"Alpha\" /><span>Alpha</span></span></span></p>\n\n<p>b</p>\n"
+    output = "<p>a</p>\n\n<p><span class=\"frame\"><span><img src=\"/greek/alpha.jpg\" alt=\"Alpha\" /><span>Alpha</span></span></span></p>\n\n<p>b</p>"
     relative_image(content, output)
   end
 
@@ -138,7 +138,7 @@ context "Markup" do
 
     page = @wiki.page("Bilbo Baggins")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <a href="/alpha.jpg">Alpha</a> b</p>\n}, output
+    assert_equal %{<p>a <a href="/alpha.jpg">Alpha</a> b</p>}, output
   end
 
   test "file link with relative path" do
@@ -149,14 +149,14 @@ context "Markup" do
 
     page = @wiki.page("Bilbo Baggins")
     output = Gollum::Markup.new(page).render
-    assert_equal %{<p>a <a href="/greek/alpha.jpg">Alpha</a> b</p>\n}, output
+    assert_equal %{<p>a <a href="/greek/alpha.jpg">Alpha</a> b</p>}, output
   end
 
   test "code blocks" do
     content = "a\n\n```ruby\nx = 1\n```\n\nb"
-    output = "<p>a</p>\n\n<p><div class=\"highlight\"><pre>" +
+    output = "<p>a</p>\n\n<div class=\"highlight\"><pre>" +
              "<span class=\"n\">x</span> <span class=\"o\">=</span> " +
-             "<span class=\"mi\">1</span>\n</pre>\n</div></p>\n\n<p>b</p>\n"
+             "<span class=\"mi\">1</span>\n</pre>\n</div>\n\n<p>b</p>"
 
     index = @wiki.repo.index
     index.add("Bilbo-Baggins.md", content)
@@ -169,9 +169,9 @@ context "Markup" do
 
   test "code blocks with carriage returns" do
     content = "a\r\n\r\n```ruby\r\nx = 1\r\n```\r\n\r\nb"
-    output = "<p>a</p>\n\n<p><div class=\"highlight\"><pre>" +
+    output = "<p>a</p>\n\n<div class=\"highlight\"><pre>" +
              "<span class=\"n\">x</span> <span class=\"o\">=</span> " +
-             "<span class=\"mi\">1</span>\n</pre>\n</div></p>\n\n<p>b</p>\n"
+             "<span class=\"mi\">1</span>\n</pre>\n</div>\n\n<p>b</p>"
 
     index = @wiki.repo.index
     index.add("Bilbo-Baggins.md", content)