From 8a32bff3990f4039e04bbdf612d73e46b006179c Mon Sep 17 00:00:00 2001
From: Andreas Stephanides <andreas.stephanides@gmail.com>
Date: Wed, 29 Apr 2015 16:07:39 +0200
Subject: [PATCH] sanitize document

---
 app/controllers/documents_controller.rb |  7 ++++++-
 app/models/document.rb                  | 12 ++++++++++++
 app/views/documents/show.html.erb       |  5 ++++-
 config/routes.rb                        |  1 +
 4 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/app/controllers/documents_controller.rb b/app/controllers/documents_controller.rb
index 2e16645..3e78959 100644
--- a/app/controllers/documents_controller.rb
+++ b/app/controllers/documents_controller.rb
@@ -24,7 +24,12 @@ class DocumentsController < ApplicationController
       format.html
     end
   end
-
+  def sanitize
+    @document = Document.find(params[:id])
+    @document.sanitize
+    @parent=@document.parent
+    render :write
+  end
   def show
     @document = Document.find(params[:id])
     respond_to do |format|
diff --git a/app/models/document.rb b/app/models/document.rb
index 9ee5526..f49bc18 100644
--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -45,7 +45,19 @@ class Document < ActiveRecord::Base
     Rails.logger.puts(serr.read)
     file
   end
+  def sanitize
+    trans_icons= lambda do |env|
+      node=env[:node]
+      node_name=env[:node_name]
+      return if env[:is_whitelisted] || !node.element?
+      return unless node_name == 'span'
+      # return unless node["class"] =~ /.*ffi.*/
+      Sanitize.node!(node,{:elements=>["span"],:attributes=>{"span"=>["class","style"]},:css=>{:properties=>["color"]}})
+      {:node_whitelist=>[node]}
+    end
+    self.text = Sanitize.fragment(self.text, {:elements=>['table','tr','td','p','h1','h2','h3','h4','h5','a','th','img','ul','li','i','b','em','pre','code'],:attributes=>{'p'=>['class'],'table'=>['class'],'a'=>['href','data'],'img'=>['src','width','height'],:all=>['class']},:css=>{:properties=>['float']},:transformers=>[trans_icons]})
 
+  end
 
   def ether
     if @ep.nil?
diff --git a/app/views/documents/show.html.erb b/app/views/documents/show.html.erb
index 2d51a43..9c5388c 100644
--- a/app/views/documents/show.html.erb
+++ b/app/views/documents/show.html.erb
@@ -2,6 +2,8 @@
 <%= link_to "Back to parent" , @document.parent, class: "btn" %>
 <div class="btn-group">
 <%= link_to "PDF", document_path(@document, :format=>"pdf"),class: "btn" %>
+<%= link_to "sanitize", document_path(@document),class: "btn" if can? :sanitize, @document %>
+
 <%= link_to ff_icon("icon-pencil") + "Edit", write_document_path(@document), class: "btn" %>
 <%= link_to ff_icon("icon-refresh")+"Refresh from Etherpad", read_from_etherpad_document_path(@document), class: "btn" if @document.is_etherpad? %>
 <%= link_to "Copy Document to Etherpad", dump_to_etherpad_document_path(@document)  , confirm: "Sicher? Löscht alle Änderungen im Etherpad" , class: "btn" %>
@@ -9,11 +11,12 @@
 
 </div>
 </div>
+<div style="background:white; border: thin #ccc solid; padding: 15px;-webkit-box-shadow: 10px 10px 10px 0px rgba(0,0,0,0.5); -moz-box-shadow: 10px 10px 10px 0px rgba(0,0,0,0.5); box-shadow: 10px 10px 10px 0px rgba(0,0,0,0.5);">
 <h2><%= @document.name %></h2>
 <div id="">
 <%= raw(@document.text) %>
 </div>
-
+</div>
 <% if can?(:edit, @document) %>
 <ul class='breadcrumb hidden-print'>
 <% @document.versions.each do |v| %>
diff --git a/config/routes.rb b/config/routes.rb
index 76a8568..32d952c 100755
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -188,6 +188,7 @@
       resources :calentries
       resources :documents do
         member do
+          get :sanitize
           get :write
           get :write_etherpad
           get :read_from_etherpad