No wiki description for HTML editors - XSS forgery

2021-03-16 15:03:09 +01:00 · 2021-03-16 15:03:09 +01:00 · d71f820c8c
commit d71f820c8c
parent 2234373649
6 changed files with 27 additions and 14 deletions
--- a/app/controllers/dmsf_controller.rb
+++ b/app/controllers/dmsf_controller.rb
@ -35,6 +35,7 @@ class DmsfController < ApplicationController
  before_action :find_folder_by_title, only: [:show]
  before_action :get_query, only: [:expand_folder, :show, :trash, :empty_trash, :index]
  before_action :get_project_roles, only: [:new, :edit, :create, :save]
+  before_action :text_formating, only: [:show, :edit, :edit_root]

  accept_api_auth :show, :create, :save, :delete

@ -315,9 +316,6 @@ class DmsfController < ApplicationController
    redirect_back_or_default trash_dmsf_path(@project)
  end

-  def edit_root
-  end
-
  def save_root
    if params[:project]
      @project.dmsf_description = params[:project][:dmsf_description]
@ -705,4 +703,8 @@ class DmsfController < ApplicationController
      members: { project_id: @project.id }).distinct
  end

+  def text_formating
+    @wiki = Setting.text_formatting != 'HTML'
+  end
+
 end
--- a/app/views/dmsf/_main.html.erb
+++ b/app/views/dmsf/_main.html.erb
@ -62,9 +62,15 @@

 <% if @project %>
  <div class="dmsf-header">
+    <% if @wiki %>
      <div class="wiki">
        <%= textilizable @folder ? @folder.description : @project.dmsf_description %>
      </div>
+    <% else %>
+      <div class="dmsf-description">
+        <%= h @folder ? @folder.description : @project.dmsf_description %>
+      </div>
+    <% end %>
  </div>
 <% end %>

--- a/app/views/dmsf/edit.html.erb
+++ b/app/views/dmsf/edit.html.erb
@ -69,7 +69,7 @@
      <%= f.text_field :title, required: true %>
    </p>
    <p>
-      <%= f.text_area :description, rows: 8, class: 'wiki-edit' %>
+      <%= f.text_area :description, rows: 8, class: @wiki ? 'wiki-edit' : 'dmsf-description' %>
    </p>
    <p>
      <% dir = @folder.inherited_permissions_from %>
@ -128,4 +128,6 @@
  </div>
 <% end %>

+<% if @wiki %>
  <%= wikitoolbar_for 'dmsf_folder_description' %>
+<% end %>
--- a/app/views/dmsf/edit_root.html.erb
+++ b/app/views/dmsf/edit_root.html.erb
@ -45,7 +45,8 @@
 <%= labelled_form_for(@project, url: { action: 'save_root', id: @project }, html: { method: :post }) do |f| %>
  <div class="box tabular">
    <p>
-      <%= f.text_area :dmsf_description, rows: 8, class: 'wiki-edit', label: l(:field_description) %>
+      <%= f.text_area :dmsf_description, rows: 8, class: @wiki ? 'wiki-edit' : 'dmsf-description',
+                      label: l(:field_description) %>
    </p>
    <div class="form-actions">
      <%= f.submit l(:submit_save), class: 'button-positive' %>
@ -53,4 +54,6 @@
  </div>
 <% end %>

+<% if @wiki %>
  <%= wikitoolbar_for 'project_dmsf_description' %>
+<% end %>