tamed_beast 0.0.1

data/test/functional/topics_controller_test.rb

@@ -0,0 +1,55 @@
+require 'test_helper'
+
+class TopicsControllerTest < ActionController::TestCase
+  fixtures :posts
+  fixtures :topics
+  fixtures :forums
+  fixtures :users
+
+  test "show action lists posts in a topic" do
+    f = forums(:one)
+    t = topics(:one)
+    get :show, :id => t.id, :forum_id => f.id
+    assert_response :success
+    assert_equal Post.where(:topic_id => t.id).count, assigns(:posts).size
+
+  end
+
+  test "create action" do
+    f = forums(:one)
+    u = users(:one)
+    sign_in(u)
+
+    assert_difference "Topic.where(:forum_id => #{f.id}).count" do
+      post :create, :forum_id => f.id, :topic => {:title => 'test test', :body => 'test test body body'}
+      t = Topic.where(:forum_id => f.id).last
+
+      assert_redirected_to forum_topic_path(f,t)
+    end
+  end
+
+  test "update action" do
+    f = forums(:one)
+    t = topics(:one)
+    u = users(:one)
+    sign_in(u)
+
+    put :update, :id => t.id, :forum_id => f.id, :topic => {:title => 'test test'}
+    assert_redirected_to forum_topic_path(f,t)
+  end
+
+  test "destroy action" do
+    f = forums(:one)
+    t = topics(:one)
+    u = users(:one)
+    sign_in(u)
+
+    delete :destroy, :id => t.id, :forum_id => f.id
+    assert_redirected_to forum_path(f)
+  end
+
+  private
+  def sign_in(u)
+    session[:user_id] = u.id
+  end
+end

data/test/unit/forum_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+
+class ForumTest < ActiveSupport::TestCase
+  test "validates presence of name" do
+    f = Forum.new
+    assert !f.valid?
+    f.name = "a new forum"
+    assert f.valid?
+  end
+end

data/test/unit/post_test.rb

@@ -0,0 +1,32 @@
+require 'test_helper'
+
+class PostTest < ActiveSupport::TestCase
+  test "validates presence of user" do
+    p = Post.new
+    p.body = "lorem ipsum dolor sit amet..."
+    p.topic_id = 1
+    assert !p.valid?
+    p.user_id = 1
+    assert p.valid?
+  end
+
+  test "validates presence of body" do
+    p = Post.new
+    p.topic_id = 1
+    p.user_id = 1
+    assert !p.valid?
+    
+    p.body = "lorem ipsum dolor sit amet..."
+    assert p.valid?
+  end
+
+  test "validates presence of topic" do
+    p = Post.new
+    p.user_id = 1
+    p.body = "lorem ipsum dolor sit amet..."
+    assert !p.valid?
+    
+    p.topic_id = 1
+    assert p.valid?
+  end
+end

data/test/unit/topic_test.rb

@@ -0,0 +1,33 @@
+require 'test_helper'
+
+class TopicTest < ActiveSupport::TestCase
+  test "validates presence of user" do
+    t = Topic.new
+    t.title = "A new topic"
+    t.forum_id = 1
+    assert !t.valid?
+
+    t.user_id = 1
+    assert t.valid?
+  end
+
+  test "validates presence of forum" do
+    t = Topic.new
+    t.title = "A new topic"
+    t.user_id = 1
+    assert !t.valid?
+    
+    t.forum_id = 1
+    assert t.valid?
+  end
+
+  test "validates presence of title" do
+    t = Topic.new
+    t.user_id = 1
+    t.forum_id = 1
+    assert !t.valid?
+    
+    t.title = "A new topic"
+    assert t.valid?
+  end
+end

data/vendor/plugins/white_list/README

@@ -0,0 +1,29 @@
+WhiteList
+=========
+
+This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.  
+It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
+tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+the extensive test suite.
+
+  <%= white_list @article.body %>
+
+You can add or remove tags/attributes if you want to customize it a bit.
+
+Add table tags
+  
+  WhiteListHelper.tags.merge %w(table td th)
+
+Remove tags
+  
+  WhiteListHelper.tags.delete 'div'
+
+Change allowed attributes
+
+  WhiteListHelper.attributes.merge %w(id class style)
+
+white_list accepts a block for custom tag escaping.  Shown below is the default block that white_list uses if none is given.
+The block is called for all bad tags, and every text node.  node is an instance of HTML::Node (either HTML::Tag or HTML::Text).  
+bad is nil for text nodes inside good tags, or is the tag name of the bad tag.  
+
+  <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } %>

data/vendor/plugins/white_list/Rakefile

@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the white_list plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the white_list plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'WhiteList'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/vendor/plugins/white_list/init.rb

@@ -0,0 +1,2 @@
+require 'white_list_helper'
+ActionView::Base.send :include, WhiteListHelper

data/vendor/plugins/white_list/lib/white_list_helper.rb

@@ -0,0 +1,97 @@
+module WhiteListHelper
+  @@protocol_attributes = Set.new %w(src href)
+  @@protocol_separator  = /:|(&#0*58)|(&#x70)|(%|%)3A/
+  mattr_reader :protocol_attributes, :protocol_separator
+
+  def self.contains_bad_protocols?(white_listed_protocols, value)
+    value =~ protocol_separator && !white_listed_protocols.include?(value.split(protocol_separator).first)
+  end
+
+  klass = class << self; self; end
+  klass_methods = []
+  inst_methods  = []
+  [:bad_tags, :tags, :attributes, :protocols].each do |attr|
+    # Add class methods to the module itself
+    klass_methods << <<-EOS
+      def #{attr}=(value) @@#{attr} = Set.new(value) end
+      def #{attr}() @@#{attr} end
+    EOS
+    
+    # prefix the instance methods with white_listed_*
+    inst_methods << "def white_listed_#{attr}() ::WhiteListHelper.#{attr} end"
+  end
+  
+  klass.class_eval klass_methods.join("\n"), __FILE__, __LINE__
+  class_eval       inst_methods.join("\n"),  __FILE__, __LINE__
+
+  # This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.  
+  # It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
+  # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+  # the extensive test suite.
+  #
+  #   <%= white_list @article.body %>
+  # 
+  # You can add or remove tags/attributes if you want to customize it a bit.
+  # 
+  # Add table tags
+  #   
+  #   WhiteListHelper.tags.merge %w(table td th)
+  # 
+  # Remove tags
+  #   
+  #   WhiteListHelper.tags.delete 'div'
+  # 
+  # Change allowed attributes
+  # 
+  #   WhiteListHelper.attributes.merge %w(id class style)
+  # 
+  # white_list accepts a block for custom tag escaping.  Shown below is the default block that white_list uses if none is given.
+  # The block is called for all bad tags, and every text node.  node is an instance of HTML::Node (either HTML::Tag or HTML::Text).  
+  # bad is nil for text nodes inside good tags, or is the tag name of the bad tag.  
+  # 
+  #   <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } %>
+  #
+  def white_list(html, options = {}, &block)
+    return html if html.blank? || !html.include?('<')
+    attrs   = Set.new(options[:attributes]).merge(white_listed_attributes)
+    tags    = Set.new(options[:tags]      ).merge(white_listed_tags)
+    block ||= lambda { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') }
+    [].tap do |new_text|
+      tokenizer = HTML::Tokenizer.new(html)
+      bad       = nil
+      while token = tokenizer.next
+        node = HTML::Node.parse(nil, 0, 0, token, false)
+        new_text << case node
+          when HTML::Tag
+            node.attributes.keys.each do |attr_name|
+              value = node.attributes[attr_name].to_s
+              if !attrs.include?(attr_name) || (protocol_attributes.include?(attr_name) && contains_bad_protocols?(value))
+                node.attributes.delete(attr_name)
+              else
+                node.attributes[attr_name] = CGI::escapeHTML(value)
+              end
+            end if node.attributes
+            if tags.include?(node.name)
+              bad = nil
+              node
+            else
+              bad = node.name
+              block.call node, bad
+            end
+          else
+            block.call node, bad
+        end
+      end
+    end.join
+  end
+  
+  protected
+    def contains_bad_protocols?(value)
+      WhiteListHelper.contains_bad_protocols?(white_listed_protocols, value)
+    end
+end
+
+WhiteListHelper.bad_tags   = %w(script)
+WhiteListHelper.tags       = %w(strong em b i p code pre tt output samp kbd var sub sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr acronym a img blockquote del ins fieldset legend)
+WhiteListHelper.attributes = %w(href src width height alt cite datetime title class)
+WhiteListHelper.protocols  = %w(ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto feed)

data/vendor/plugins/white_list/test/white_list_test.rb

@@ -0,0 +1,132 @@
+require 'test/unit'
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb'))
+
+class WhiteListTest < Test::Unit::TestCase
+  include WhiteListHelper
+  public :contains_bad_protocols?
+
+  WhiteListHelper.tags.each do |tag_name|
+    define_method "test_should_allow_#{tag_name}_tag" do
+      assert_white_listed "start <#{tag_name} title=\"1\" name=\"foo\">foo <bad>bar</bad> baz</#{tag_name}> end", %(start <#{tag_name} title="1">foo &lt;bad>bar&lt;/bad> baz</#{tag_name}> end)
+    end
+  end
+
+  def test_should_allow_anchors
+    assert_white_listed %(<a href="foo" onclick="bar"><script>baz</script></a>), %(<a href="foo"></a>)
+  end
+
+  %w(src width height alt).each do |img_attr|
+    define_method "test_should_allow_image_#{img_attr}_attribute" do
+      assert_white_listed %(<img #{img_attr}="foo" onclick="bar" />), %(<img #{img_attr}="foo" />)
+    end
+  end
+
+  def test_should_handle_non_html
+    assert_white_listed 'abc'
+  end
+
+  def test_should_handle_blank_text
+    assert_white_listed nil
+    assert_white_listed ''
+  end
+
+  def test_should_allow_custom_tags
+    text = "<u>foo</u>"
+    assert_equal(text, white_list(text, :tags => %w(u)))
+  end
+
+  def test_should_allow_custom_tags_with_attributes
+    text = %(<fieldset foo="bar">foo</fieldset>)
+    assert_equal(text, white_list(text, :attributes => ['foo']))
+  end
+
+  [%w(img src), %w(a href)].each do |(tag, attr)|
+    define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
+      assert_white_listed %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>)
+    end
+  end
+
+  def test_should_flag_bad_protocols
+    %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto|
+      assert contains_bad_protocols?("#{proto}://bad")
+    end
+  end
+
+  def test_should_accept_good_protocols
+    WhiteListHelper.protocols.each do |proto|
+      assert !contains_bad_protocols?("#{proto}://good")
+    end
+  end
+
+  def test_should_reject_hex_codes_in_protocol
+    assert contains_bad_protocols?("%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29")
+    assert_white_listed %(<a href="&#37;6A&#37;61&#37;76&#37;61&#37;73&#37;63&#37;72&#37;69&#37;70&#37;74&#37;3A&#37;61&#37;6C&#37;65&#37;72&#37;74&#37;28&#37;22&#37;58&#37;53&#37;53&#37;22&#37;29">1</a>), "<a>1</a>"
+  end
+
+  def test_should_block_script_tag
+    assert_white_listed %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), ""
+  end
+
+  [%(<IMG SRC="javascript:alert('XSS');">), 
+   %(<IMG SRC=javascript:alert('XSS')>), 
+   %(<IMG SRC=JaVaScRiPt:alert('XSS')>), 
+   %(<IMG """><SCRIPT>alert("XSS")</SCRIPT>">),
+   %(<IMG SRC=javascript:alert(&quot;XSS&quot;)>),
+   %(<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>),
+   %(<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>),
+   %(<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>),
+   %(<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>),
+   %(<IMG SRC="jav\tascript:alert('XSS');">),
+   %(<IMG SRC="jav&#x09;ascript:alert('XSS');">),
+   %(<IMG SRC="jav&#x0A;ascript:alert('XSS');">),
+   %(<IMG SRC="jav&#x0D;ascript:alert('XSS');">),
+   %(<IMG SRC=" &#14;  javascript:alert('XSS');">),
+   %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i|
+    define_method "test_should_not_fall_for_xss_image_hack_#{i}" do
+      assert_white_listed img_hack, "<img>"
+    end
+  end
+  
+  def test_should_sanitize_tag_broken_up_by_null
+    assert_white_listed %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), "&lt;scr>alert(\"XSS\")&lt;/scr>"
+  end
+  
+  def test_should_sanitize_invalid_script_tag
+    assert_white_listed %(<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>), ""
+  end
+  
+  def test_should_sanitize_script_tag_with_multiple_open_brackets
+    assert_white_listed %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "&lt;"
+    assert_white_listed %(<iframe src=http://ha.ckers.org/scriptlet.html\n<), %(&lt;iframe src="http:" />&lt;)
+  end
+  
+  def test_should_sanitize_unclosed_script
+    assert_white_listed %(<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>), "<b>"
+  end
+  
+  def test_should_sanitize_half_open_scripts
+    assert_white_listed %(<IMG SRC="javascript:alert('XSS')"), "<img>"
+  end
+  
+  def test_should_not_fall_for_ridiculous_hack
+    img_hack = %(<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>)
+    assert_white_listed img_hack, "<img>"
+  end
+
+  def test_should_allow_custom_block
+    html = %(<SCRIPT type="javascript">foo</SCRIPT><img>blah</img><blink>blah</blink>)
+    safe = white_list html do |node, bad|
+      bad == 'script' ? nil : node
+    end
+    assert_equal "<img>blah</img><blink>blah</blink>", safe
+  end
+
+  def test_should_sanitize_attributes
+    assert_white_listed %(<SPAN title="'><script>alert()</script>">blah</SPAN>), %(<span title="'&gt;&lt;script&gt;alert()&lt;/script&gt;">blah</span>)
+  end
+
+  protected
+    def assert_white_listed(text, expected = nil)
+      assert_equal((expected || text), white_list(text))
+    end
+end

data/vendor/plugins/white_list_formatted_content/init.rb

@@ -0,0 +1,27 @@
+ActiveRecord::Base.class_eval do
+  include ActionView::Helpers::TagHelper, ActionView::Helpers::TextHelper, WhiteListHelper
+  def self.format_attribute(attr_name)
+    class << self; include ActionView::Helpers::TagHelper, ActionView::Helpers::TextHelper, WhiteListHelper; end
+    define_method(:body)       { read_attribute attr_name }
+    define_method(:body_html)  { read_attribute "#{attr_name}_html" }
+    define_method(:body_html=) { |value| write_attribute "#{attr_name}_html", value }
+    before_save :format_content
+  end
+
+  def dom_id
+    [self.class.name.downcase.pluralize.dasherize, id] * '-'
+  end
+
+  protected
+    def format_content
+      body.strip! if body.respond_to?(:strip!)
+      self.body_html = body.blank? ? '' : body_html_with_formatting
+    end
+    
+    def body_html_with_formatting
+      body_html = auto_link(body) { |text| truncate(text, 50) }
+      textilized = RedCloth.new(body_html, [ :hard_breaks ])
+      textilized.hard_breaks = true if textilized.respond_to?("hard_breaks=")
+      white_list(textilized.to_html)
+    end
+end