[Rt-commit] rt branch, 4.0/scrub-dashboard-javascript, created. rt-4.0.6-177-g1599f0d
Thomas Sibley
trs at bestpractical.com
Thu Jun 14 15:42:26 EDT 2012
The branch, 4.0/scrub-dashboard-javascript has been created
at 1599f0d31fe26d870402b06a5b43df5e291e0703 (commit)
- Log -----------------------------------------------------------------
commit 1599f0d31fe26d870402b06a5b43df5e291e0703
Author: Thomas Sibley <trs at bestpractical.com>
Date: Thu Jun 14 15:36:20 2012 -0400
Scrub javascript from dashboard emails rather than relying on imperfect flags
Both Outlook and Lotus render <script> tags poorly, so they're useful to
remove.
diff --git a/lib/RT/Dashboard/Mailer.pm b/lib/RT/Dashboard/Mailer.pm
index 40b53b1..a76954e 100644
--- a/lib/RT/Dashboard/Mailer.pm
+++ b/lib/RT/Dashboard/Mailer.pm
@@ -59,6 +59,7 @@ use RT::Dashboard;
use RT::Interface::Web::Handler;
use RT::Interface::Web;
use File::Temp 'tempdir';
+use HTML::Scrubber;
sub MailDashboards {
my $self = shift;
@@ -248,6 +249,8 @@ SUMMARY
}
}
+ $content = ScrubContent($content);
+
$RT::Logger->debug("Got ".length($content)." characters of output.");
$content = HTML::RewriteAttributes::Links->rewrite(
@@ -463,6 +466,33 @@ sub BuildEmail {
}
{
+ my $scrubber;
+
+ sub _scrubber {
+ unless ($scrubber) {
+ $scrubber = HTML::Scrubber->new;
+ # Allow everything by default, except JS attributes ...
+ $scrubber->default(
+ 1 => {
+ '*' => 1,
+ map { ("on$_" => 0) }
+ qw(blur change click dblclick error focus keydown keypress keyup load
+ mousedown mousemove mouseout mouseover mouseup reset select submit unload)
+ }
+ );
+ # ... and <script>s
+ $scrubber->deny('script');
+ }
+ return $scrubber;
+ }
+
+ sub ScrubContent {
+ my $content = shift;
+ return _scrubber->scrub($content);
+ }
+}
+
+{
my %cache;
sub HourDowDomIn {
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list