muck-comments 0.1.16 → 0.1.17

Sign up to get free protection for your applications and to get access to all the features.
data/Rakefile CHANGED
@@ -54,6 +54,8 @@ begin
54
54
  gemspec.description = "The comment engine for the muck system."
55
55
  gemspec.authors = ["Justin Ball", "Joel Duffin"]
56
56
  gemspec.rubyforge_project = 'muck-comments'
57
+ gemspec.add_dependency "sanitize"
58
+ gemspec.add_dependency "awesome_nested_set"
57
59
  gemspec.add_dependency "muck-engine"
58
60
  gemspec.add_dependency "muck-users"
59
61
  end
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.16
1
+ 0.1.17
@@ -1,7 +1,7 @@
1
1
  <div id="<%= comment.dom_id %>" class="comment_holder delete-container">
2
2
  <div class="commentor-icon"><%= icon comment.user %></div>
3
3
  <p><span class="commentor"><%= link_to comment.user.try(:display_name), comment.user %></span>
4
- <%= h limit_comment(comment.body, truncate_comment, length, omission) %></p>
4
+ <%= limit_comment(comment.body, truncate_comment, length, omission) %></p>
5
5
  <%= delete_comment(comment, :image) if comment.can_edit?(current_user) %>
6
6
  <span class="comment-time"><%= t("muck.general.time_ago", :time_in_words => time_ago_in_words(comment.created_at)) %></span></p>
7
7
  </div>
@@ -1,5 +1,3 @@
1
- <% c = comment_title.comment.dup.gsub(/\[youtube:+.+\]/, '') %>
2
-
3
1
  <div id="<%= comment_title.dom_id %>" class="comment_holder">
4
2
  <%= icon comment_title.user, :small, :class => 'left avatar_on_comment' %>
5
3
  <div class="date_details">
@@ -8,7 +6,7 @@
8
6
  profile_path(comment_title.user))} %>
9
7
  </div>
10
8
  <div class="comment_message">
11
- <%= sanitize(textilize(c)) %>
9
+ <%= comment_title.body %>
12
10
  </div>
13
11
  <div class="clear"></div>
14
12
  </div>
@@ -1,4 +1,4 @@
1
1
  <div id="<%= simple_comment.dom_id %>" class="simple-comment">
2
2
  <div class="commentor-icon"><%= icon simple_comment.user %></div>
3
- <div class="comment-body"><%= h limit_comment(simple_comment.body, truncate_comment, length, omission) %></div>
3
+ <div class="comment-body"><%= limit_comment(simple_comment.body, truncate_comment, length, omission) %></div>
4
4
  </div>
@@ -9,6 +9,11 @@ module ActiveRecord
9
9
 
10
10
  def acts_as_muck_comment(options = {})
11
11
 
12
+ default_options = {
13
+ :sanitize_content => true,
14
+ }
15
+ options = default_options.merge(options)
16
+
12
17
  acts_as_nested_set :scope => [:commentable_id, :commentable_type]
13
18
  validates_presence_of :body
14
19
  belongs_to :user
@@ -18,7 +23,11 @@ module ActiveRecord
18
23
  named_scope :by_newest, :order => "created_at DESC"
19
24
  named_scope :by_oldest, :order => "created_at ASC"
20
25
  named_scope :recent, lambda { { :conditions => ['created_at > ?', 1.week.ago] } }
21
-
26
+
27
+ if options[:sanitize_content]
28
+ before_save :sanitize_attributes
29
+ end
30
+
22
31
  class_eval <<-EOV
23
32
  # prevents a user from submitting a crafted form that bypasses activation
24
33
  attr_protected :created_at, :updated_at
@@ -78,6 +87,34 @@ module ActiveRecord
78
87
  false
79
88
  end
80
89
 
90
+ # Sanitize content before saving. This prevent XSS attacks and other malicious html.
91
+ def sanitize_attributes
92
+ if self.sanitize_level
93
+ self.body = Sanitize.clean(self.body, self.sanitize_level)
94
+ end
95
+ end
96
+
97
+ # Override this method to control sanitization levels.
98
+ # Currently a user who is an admin will not have their content sanitized. A user
99
+ # in any role 'editor', 'manager', or 'contributor' will be given the 'RELAXED' settings
100
+ # while all other users will get 'BASIC'.
101
+ #
102
+ # By default the 'creator' of the content will be used to determine which level of
103
+ # sanitization is allowed. To change this set 'current_editor' before
104
+ #
105
+ # Options are from sanitze:
106
+ # nil - no sanitize
107
+ # Sanitize::Config::RELAXED
108
+ # Sanitize::Config::BASIC
109
+ # Sanitize::Config::RESTRICTED
110
+ # for more details see: http://rgrove.github.com/sanitize/
111
+ def sanitize_level
112
+ return Sanitize::Config::BASIC if self.user.nil?
113
+ return nil if self.user.admin?
114
+ return Sanitize::Config::RELAXED if self.user.any_role?('editor', 'manager', 'contributor')
115
+ Sanitize::Config::BASIC
116
+ end
117
+
81
118
  end
82
119
  end
83
120
  end
@@ -5,7 +5,7 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{muck-comments}
8
- s.version = "0.1.16"
8
+ s.version = "0.1.17"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Justin Ball", "Joel Duffin"]
@@ -415,13 +415,19 @@ Gem::Specification.new do |s|
415
415
  s.specification_version = 3
416
416
 
417
417
  if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
418
+ s.add_runtime_dependency(%q<sanitize>, [">= 0"])
419
+ s.add_runtime_dependency(%q<awesome_nested_set>, [">= 0"])
418
420
  s.add_runtime_dependency(%q<muck-engine>, [">= 0"])
419
421
  s.add_runtime_dependency(%q<muck-users>, [">= 0"])
420
422
  else
423
+ s.add_dependency(%q<sanitize>, [">= 0"])
424
+ s.add_dependency(%q<awesome_nested_set>, [">= 0"])
421
425
  s.add_dependency(%q<muck-engine>, [">= 0"])
422
426
  s.add_dependency(%q<muck-users>, [">= 0"])
423
427
  end
424
428
  else
429
+ s.add_dependency(%q<sanitize>, [">= 0"])
430
+ s.add_dependency(%q<awesome_nested_set>, [">= 0"])
425
431
  s.add_dependency(%q<muck-engine>, [">= 0"])
426
432
  s.add_dependency(%q<muck-users>, [">= 0"])
427
433
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: muck-comments
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.16
4
+ version: 0.1.17
5
5
  platform: ruby
6
6
  authors:
7
7
  - Justin Ball
@@ -13,6 +13,26 @@ cert_chain: []
13
13
  date: 2009-12-02 00:00:00 -07:00
14
14
  default_executable:
15
15
  dependencies:
16
+ - !ruby/object:Gem::Dependency
17
+ name: sanitize
18
+ type: :runtime
19
+ version_requirement:
20
+ version_requirements: !ruby/object:Gem::Requirement
21
+ requirements:
22
+ - - ">="
23
+ - !ruby/object:Gem::Version
24
+ version: "0"
25
+ version:
26
+ - !ruby/object:Gem::Dependency
27
+ name: awesome_nested_set
28
+ type: :runtime
29
+ version_requirement:
30
+ version_requirements: !ruby/object:Gem::Requirement
31
+ requirements:
32
+ - - ">="
33
+ - !ruby/object:Gem::Version
34
+ version: "0"
35
+ version:
16
36
  - !ruby/object:Gem::Dependency
17
37
  name: muck-engine
18
38
  type: :runtime