Improve blocking of characters not allowed in XML
authorTom Hughes <tom@compton.nu>
Wed, 18 Jun 2014 23:25:18 +0000 (00:25 +0100)
committerTom Hughes <tom@compton.nu>
Wed, 18 Jun 2014 23:25:18 +0000 (00:25 +0100)
app/controllers/amf_controller.rb
app/models/user.rb
test/models/user_test.rb

index 57eb282..ad337d8 100644 (file)
@@ -551,7 +551,7 @@ class AmfController < ApplicationController
             mid = renumberedways[mid] if m[0] == 'Way'
           end
           if mid
-            typedmembers << [m[0], mid, m[2].delete("\000-\037", "^\011\012\015")]
+            typedmembers << [m[0], mid, m[2].delete("\000-\037\ufffe\uffff", "^\011\012\015")]
           end
         end
 
@@ -886,8 +886,8 @@ class AmfController < ApplicationController
     new_tags = Hash.new
     unless tags.nil?
       tags.each do |k, v|
-        new_k = k.delete "\000-\037", "^\011\012\015"
-        new_v = v.delete "\000-\037", "^\011\012\015"
+        new_k = k.delete "\000-\037\ufffe\uffff", "^\011\012\015"
+        new_v = v.delete "\000-\037\ufffe\uffff", "^\011\012\015"
         new_tags[new_k] = new_v
       end
     end
index 9bfb967..81154ff 100644 (file)
@@ -42,7 +42,7 @@ class User < ActiveRecord::Base
   validates_length_of :display_name, :within => 3..255, :allow_nil => true
   validates_email_format_of :email, :if => Proc.new { |u| u.email_changed? }
   validates_email_format_of :new_email, :allow_blank => true, :if => Proc.new { |u| u.new_email_changed? }
-  validates_format_of :display_name, :with => /\A[^\x00-\x1f\x7f\/;.,?%#]*\z/, :if => Proc.new { |u| u.display_name_changed? }
+  validates_format_of :display_name, :with => /\A[^\x00-\x1f\x7f\ufffe\uffff\/;.,?%#]*\z/, :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /\A\S/, :message => "has leading whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_format_of :display_name, :with => /\S\z/, :message => "has trailing whitespace", :if => Proc.new { |u| u.display_name_changed? }
   validates_numericality_of :home_lat, :allow_nil => true
index 15bd64c..5e03c7e 100644 (file)
@@ -87,7 +87,7 @@ class UserTest < ActiveSupport::TestCase
     # should be used.
     bad = [ "<hr/>", "test@example.com", "s/f", "aa/", "aa;", "aa.",
             "aa,", "aa?", "/;.,?", "も対応します/", "#ping",
-            "foo\x1fbar", "foo\x7fbar" ]
+            "foo\x1fbar", "foo\x7fbar", "foo\ufffebar", "foo\uffffbar" ]
     ok.each do |display_name|
       user = users(:normal_user)
       user.display_name = display_name