From 831dcefcbd24b7156870d0736ca94bcf242b2d8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Gaya?= <sebastien.gaya@gmail.com>
Date: Tue, 9 Nov 2021 15:52:57 +0100
Subject: [PATCH] fix sanitize allowed tags and attributes + active storage
direct url in kamifusen tag inside post & page text
---
app/views/active_storage/blobs/_blob.html.erb | 2 +-
config/application.rb | 12 ++++++++++--
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/app/views/active_storage/blobs/_blob.html.erb b/app/views/active_storage/blobs/_blob.html.erb
index 740232e68..37bd818aa 100644
--- a/app/views/active_storage/blobs/_blob.html.erb
+++ b/app/views/active_storage/blobs/_blob.html.erb
@@ -1,6 +1,6 @@
<figure class="attachment attachment--<%= blob.variable? ? "preview" : "file" %> attachment--<%= blob.filename.extension %>">
<% if blob.image? %>
- <%= kamifusen_tag blob, width: 800 %>
+ <%= kamifusen_tag blob, width: 800, active_storage_direct_url: true %>
<% elsif blob.video? %>
<video>
<source src="<%= rails_blob_path(blob) %>" type="<%= blob.content_type %>">
diff --git a/config/application.rb b/config/application.rb
index 41bc52487..c493e143e 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -48,8 +48,16 @@ module Osuny
authentication: :plain
}
- config.action_view.sanitized_allowed_tags = ['strong', 'em', 'b', 'i', 'u', 'p', 'code', 'pre', 'tt', 'samp', 'kbd', 'var', 'sub', 'sup', 'dfn', 'cite', 'big', 'small', 'address', 'hr', 'br', 'div', 'span', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'ul', 'ol', 'li', 'dl', 'dt', 'dd', 'abbr', 'acronym', 'a', 'img', 'blockquote', 'del', 'ins', 'picture']
- config.action_view.sanitized_allowed_attributes = ['href', 'src', 'srcset', 'width', 'height', 'alt', 'cite', 'datetime', 'title', 'class', 'name', 'xml:lang', 'abbr', 'style', 'target', 'sizes', 'loading', 'decoding', 'type']
+ config.action_view.sanitized_allowed_tags = [
+ "a", "abbr", "acronym", "address", "b", "big", "blockquote", "br",
+ "cite", "code", "dd", "del", "dfn", "div", "dl", "dt", "em",
+ "h1", "h2", "h3", "h4", "h5", "h6", "hr", "i", "img", "ins", "kbd", "li", "ol",
+ "p", "picture", "pre", "samp", "small", "source", "span", "strong", "sub", "sup", "tt", "u", "ul", "var"
+ ]
+ config.action_view.sanitized_allowed_attributes = [
+ "abbr", "alt", "cite", "class", "datetime", "decoding", "height", "href", "loading",
+ "name", "sizes", "src", "srcset", "style", "target", "title", "type", "width", "xml:lang"
+ ]
config.allowed_special_chars = '#?!,@$%^&*+£µ-'
--
GitLab