1
#! /bin/sh /usr/share/dpatch/dpatch-run
2
## 17_SA32652.dpatch by Giuseppe Iuculano <giuseppe@iuculano.it>
4
## All lines beginning with `## DP:' are a description of the patch.
5
## DP: Backported patch to fix SA32652
8
diff -urNad trac-0.11.1~/trac/util/html.py trac-0.11.1/trac/util/html.py
9
--- trac-0.11.1~/trac/util/html.py 2008-08-07 03:00:20.000000000 +0200
10
+++ trac-0.11.1/trac/util/html.py 2008-11-16 18:22:50.000000000 +0100
14
from genshi import Markup, escape, unescape
15
-from genshi.core import stripentities, striptags
16
+from genshi.core import stripentities, striptags, START, END
17
from genshi.builder import Element, ElementFactory, Fragment
18
+from genshi.filters.html import HTMLSanitizer
20
-__all__ = ['escape', 'unescape', 'html', 'plaintext']
21
+__all__ = ['escape', 'unescape', 'html', 'plaintext', 'TracHTMLSanitizer']
24
+class TracHTMLSanitizer(HTMLSanitizer):
26
+ UNSAFE_CSS = ['position']
29
+ safe_attrs = HTMLSanitizer.SAFE_ATTRS | set(['style'])
30
+ super(TracHTMLSanitizer, self).__init__(safe_attrs=safe_attrs)
32
+ def sanitize_css(self, text):
34
+ text = self._strip_css_comments(self._replace_unicode_escapes(text))
35
+ for decl in filter(None, text.split(';')):
40
+ prop, value = decl.split(':', 1)
43
+ if not self.is_safe_css(prop.strip().lower(), value.strip()):
46
+ if 'expression' in decl:
48
+ for match in re.finditer(r'url\s*\(([^)]+)', decl):
49
+ if not self.is_safe_uri(match.group(1)):
53
+ decls.append(decl.strip())
56
+ def __call__(self, stream):
57
+ """Remove input type="password" elements from the stream
60
+ for kind, data, pos in super(TracHTMLSanitizer, self).__call__(stream):
63
+ if (tag == 'input' and
64
+ attrs.get('type', '').lower() == 'password'):
67
+ yield kind, data, pos
70
+ yield kind, data, pos
73
+ yield kind, data, pos
75
+ def is_safe_css(self, prop, value):
76
+ """Determine whether the given css property declaration is to be
77
+ considered safe for inclusion in the output.
79
+ if prop in self.UNSAFE_CSS:
81
+ # Negative margins can be used for phishing
82
+ elif prop.startswith('margin') and '-' in value:
87
class Deuglifier(object):
88
diff -urNad trac-0.11.1~/trac/wiki/formatter.py trac-0.11.1/trac/wiki/formatter.py
89
--- trac-0.11.1~/trac/wiki/formatter.py 2008-08-07 03:00:20.000000000 +0200
90
+++ trac-0.11.1/trac/wiki/formatter.py 2008-11-16 18:22:50.000000000 +0100
93
from genshi.builder import tag, Element
94
from genshi.core import Stream, Markup, escape
95
-from genshi.filters import HTMLSanitizer
96
from genshi.input import HTMLParser, ParseError
97
from genshi.util import plaintext
100
from trac.wiki.parser import WikiParser
101
from trac.util.text import shorten_line, to_unicode, \
102
unicode_quote, unicode_quote_plus
103
+from trac.util.html import TracHTMLSanitizer
104
from trac.util.translation import _
106
__all__ = ['wiki_to_html', 'wiki_to_oneliner', 'wiki_to_outline',
108
'span': self._span_processor,
109
'Span': self._span_processor}
111
- self._sanitizer = HTMLSanitizer(safe_attrs=HTMLSanitizer.SAFE_ATTRS |
113
+ self._sanitizer = TracHTMLSanitizer()
115
self.processor = builtin_processors.get(name)
116
if not self.processor:
117
diff -urNad trac-0.11.1~/trac/wiki/parser.py trac-0.11.1/trac/wiki/parser.py
118
--- trac-0.11.1~/trac/wiki/parser.py 2008-08-07 03:00:20.000000000 +0200
119
+++ trac-0.11.1/trac/wiki/parser.py 2008-11-16 18:23:51.000000000 +0100
122
r"(?P<list>^(?P<ldepth>\s+)(?:[-*]|\d+\.|[a-zA-Z]\.|[ivxIVX]{1,5}\.) )",
124
- r"(?P<definition>^\s+((?:%s[^%s]*%s|%s.*?%s|[^%s%s:]|:[^:])+::)(?:\s+|$))"
125
+ r"(?P<definition>^\s+((?:%s[^%s]*%s|%s(?:%s{,2}[^%s])*?%s|[^%s%s:]|:[^:])+::)(?:\s+|$))"
126
% (INLINE_TOKEN, INLINE_TOKEN, INLINE_TOKEN,
127
- STARTBLOCK_TOKEN, ENDBLOCK_TOKEN, INLINE_TOKEN, STARTBLOCK[0]),
128
+ STARTBLOCK_TOKEN, ENDBLOCK[0], ENDBLOCK[0], ENDBLOCK_TOKEN,
129
+ INLINE_TOKEN, STARTBLOCK[0]),
131
r"(?P<indent>^(?P<idepth>\s+)(?=\S))",
133
diff -urNad trac-0.11.1~/trac/wiki/tests/wiki-tests.txt trac-0.11.1/trac/wiki/tests/wiki-tests.txt
134
--- trac-0.11.1~/trac/wiki/tests/wiki-tests.txt 2008-08-07 03:00:20.000000000 +0200
135
+++ trac-0.11.1/trac/wiki/tests/wiki-tests.txt 2008-11-16 18:23:51.000000000 +0100
136
@@ -1034,6 +1034,16 @@
138
------------------------------
140
+============================== Pathological definition list counter example with block quotes
141
+ {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}} {{{a}}}
142
+------------------------------
145
+<tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt>
148
+------------------------------
149
+<tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt> <tt>a</tt>
150
============================== Definition list + escaped definition list
151
complex topic:: multiline