Fix issue 1052: Properly parse the style attribute during sanitization

git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2376 eee81c28-f429-11dd-99c0-75d572ba1ddd
master
Jeff Schiller 2013-02-13 15:04:58 +00:00
parent bc84fac91b
commit 936d9cc362
3 changed files with 55 additions and 4 deletions

View File

@ -8,8 +8,9 @@
*/ */
// Dependencies: // Dependencies:
// 1) browser.js // 1) jQuery
// 2) svgutils.js // 2) browser.js
// 3) svgutils.js
var svgedit = svgedit || {}; var svgedit = svgedit || {};
@ -199,9 +200,11 @@ svgedit.sanitize.sanitizeSvg = function(node) {
p = props.length; p = props.length;
while(p--) { while(p--) {
var nv = props[p].split(":"); var nv = props[p].split(":");
var attrname = $.trim(nv[0]);
var attrval = $.trim(nv[1]);
// now check that this attribute is supported // now check that this attribute is supported
if (allowedAttrs.indexOf(nv[0]) >= 0) { if (allowedAttrs.indexOf(attrname) >= 0) {
node.setAttribute(nv[0],nv[1]); node.setAttribute(attrname, attrval);
} }
} }
node.removeAttribute('style'); node.removeAttribute('style');

View File

@ -15,6 +15,7 @@
<iframe src='draw_test.html' width='100%' height='70' scrolling='no'></iframe> <iframe src='draw_test.html' width='100%' height='70' scrolling='no'></iframe>
<iframe src='units_test.html' width='100%' height='70' scrolling='no'></iframe> <iframe src='units_test.html' width='100%' height='70' scrolling='no'></iframe>
<iframe src='path_test.html' width='100%' height='70' scrolling='no'></iframe> <iframe src='path_test.html' width='100%' height='70' scrolling='no'></iframe>
<iframe src='sanitize_test.html' width='100%' height='70' scrolling='no'></iframe>
</body> </body>
<script> <script>
window.setTimeout(function() { window.setTimeout(function() {

47
test/sanitize_test.html Normal file
View File

@ -0,0 +1,47 @@
<!DOCTYPE html>
<html>
<head>
<link rel='stylesheet' href='qunit/qunit.css' type='text/css'/>
<script type='text/javascript' src='../editor/jquery.js'></script>
<script type='text/javascript' src='../editor/browser.js'></script>
<script type='text/javascript' src='../editor/svgutils.js'></script>
<script type='text/javascript' src='../editor/sanitize.js'></script>
<script type='text/javascript' src='qunit/qunit.js'></script>
<script type='text/javascript'>
$(function() {
// log function
QUnit.log = function(result, message) {
if (window.console && window.console.log) {
window.console.log(result +' :: '+ message);
}
};
var svgns = 'http://www.w3.org/2000/svg';
var svg = document.createElementNS(svgns, 'svg');
test('Test sanitizeSvg() strips ws from style attr', function() {
expect(2);
var rect = document.createElementNS(svgns, 'rect');
rect.setAttribute('style', 'stroke: blue ; stroke-width : 40;');
// sanitizeSvg() requires the node to have a parent and a document.
svg.appendChild(rect);
svgedit.sanitize.sanitizeSvg(rect);
equals(rect.getAttribute('stroke'), 'blue');
equals(rect.getAttribute('stroke-width'), '40');
});
});
</script>
</head>
<body>
<h1 id='qunit-header'>Unit Tests for sanitize.js</h1>
<h2 id='qunit-banner'></h2>
<h2 id='qunit-userAgent'></h2>
<ol id='qunit-tests'>
</ol>
<div id='anchor' style='visibility:hidden'>
</div>
</body>
</html>