Fix issue 1052: Properly parse the style attribute during sanitization

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2376 eee81c28-f429-11dd-99c0-75d572ba1ddd
2013-02-13 15:04:58 +00:00 · 2013-02-13 15:04:58 +00:00 · 936d9cc362
parent bc84fac91b
commit 936d9cc362
3 changed files with 55 additions and 4 deletions
--- a/editor/sanitize.js
+++ b/editor/sanitize.js
@ -8,8 +8,9 @@
 */

 // Dependencies:
-// 1) browser.js
-// 2) svgutils.js
+// 1) jQuery
+// 2) browser.js
+// 3) svgutils.js

 var svgedit = svgedit || {};

@ -199,9 +200,11 @@ svgedit.sanitize.sanitizeSvg = function(node) {
 					p = props.length;
 				while(p--) {
 					var nv = props[p].split(":");
+					var attrname = $.trim(nv[0]);
+					var attrval = $.trim(nv[1]);
 					// now check that this attribute is supported
-					if (allowedAttrs.indexOf(nv[0]) >= 0) {
-						node.setAttribute(nv[0],nv[1]);
+					if (allowedAttrs.indexOf(attrname) >= 0) {
+						node.setAttribute(attrname, attrval);
 					}
 				}
 				node.removeAttribute('style');
--- a/test/all_tests.html
+++ b/test/all_tests.html
@ -15,6 +15,7 @@
  <iframe src='draw_test.html' width='100%' height='70' scrolling='no'></iframe>
  <iframe src='units_test.html' width='100%' height='70' scrolling='no'></iframe>
  <iframe src='path_test.html' width='100%' height='70' scrolling='no'></iframe>
+  <iframe src='sanitize_test.html' width='100%' height='70' scrolling='no'></iframe>
 </body>
 <script>
 window.setTimeout(function() {
--- a/test/sanitize_test.html
+++ b/test/sanitize_test.html
@ -0,0 +1,47 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <link rel='stylesheet' href='qunit/qunit.css' type='text/css'/>
+  <script type='text/javascript' src='../editor/jquery.js'></script>
+  <script type='text/javascript' src='../editor/browser.js'></script>
+  <script type='text/javascript' src='../editor/svgutils.js'></script>
+  <script type='text/javascript' src='../editor/sanitize.js'></script>
+  <script type='text/javascript' src='qunit/qunit.js'></script>  
+  <script type='text/javascript'>
+  $(function() {
+    // log function
+    QUnit.log = function(result, message) {
+      if (window.console && window.console.log) {
+        window.console.log(result +' :: '+ message);
+      }
+    };
+
+    var svgns = 'http://www.w3.org/2000/svg';
+    var svg = document.createElementNS(svgns, 'svg');
+  
+    test('Test sanitizeSvg() strips ws from style attr', function() {
+      expect(2);
+
+      var rect = document.createElementNS(svgns, 'rect');
+      rect.setAttribute('style', 'stroke: blue ;    stroke-width :    40;');
+      // sanitizeSvg() requires the node to have a parent and a document.
+      svg.appendChild(rect);
+      svgedit.sanitize.sanitizeSvg(rect);
+
+      equals(rect.getAttribute('stroke'), 'blue');
+      equals(rect.getAttribute('stroke-width'), '40');
+    });
+
+  });
+  </script>
+</head>  
+<body>  
+  <h1 id='qunit-header'>Unit Tests for sanitize.js</h1>
+  <h2 id='qunit-banner'></h2>
+  <h2 id='qunit-userAgent'></h2>
+  <ol id='qunit-tests'>
+  </ol>
+  <div id='anchor' style='visibility:hidden'>
+  </div>
+</body>  
+</html>