[!] Sanitize incoming classlist properly (#6162)

* Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespace
author: puckipedia <puck@puckipedia.com> 2018-01-03 03:54:08 +0100
committer: Eugen Rochko <eugen@zeonfederated.com> 2018-01-03 03:54:08 +0100
commit: 545095b3ce312b42ba304d0bb2c76727826e27b4 (patch)
tree: acbfd8c4302f14ea8a352d8d7b9034eafe711ed1 /app
parent: d319b3dbe4cf40bfca12a224adb54a8fb6033090 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb
index f09288fcd..c2b466924 100644
--- a/app/lib/sanitize_config.rb
+++ b/app/lib/sanitize_config.rb
@@ -6,14 +6,14 @@ class Sanitize
 
     CLASS_WHITELIST_TRANSFORMER = lambda do |env|
       node = env[:node]
-      class_list = node['class']&.split(' ')
+      class_list = node['class']&.split(/[\t\n\f\r ]/)
 
       return unless class_list
 
       class_list.keep_if do |e|
-        return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
-        return true if e =~ /^(mention|hashtag)$/ # semantic classes
-        return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
+        next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes
+        next true if e =~ /^(mention|hashtag)$/ # semantic classes
+        next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes
       end
 
       node['class'] = class_list.join(' ')
author	puckipedia <puck@puckipedia.com>	2018-01-03 03:54:08 +0100
committer	Eugen Rochko <eugen@zeonfederated.com>	2018-01-03 03:54:08 +0100
commit	545095b3ce312b42ba304d0bb2c76727826e27b4 (patch)
tree	acbfd8c4302f14ea8a352d8d7b9034eafe711ed1 /app
parent	d319b3dbe4cf40bfca12a224adb54a8fb6033090 (diff)