govspeak 1.1.0 → 1.2.0

Sign up to get free protection for your applications and to get access to all the features.
data/lib/govspeak.rb CHANGED
@@ -36,6 +36,10 @@ module Govspeak
36
36
  kramdown_doc.to_html
37
37
  end
38
38
 
39
+ def to_sanitized_html
40
+ HtmlSanitizer.new(to_html).sanitize
41
+ end
42
+
39
43
  def to_text
40
44
  HTMLEntities.new.decode(to_html.gsub(/(?:<[^>]+>|\s)+/, " ").strip)
41
45
  end
@@ -1,3 +1,3 @@
1
1
  module Govspeak
2
- VERSION = "1.1.0"
2
+ VERSION = "1.2.0"
3
3
  end
@@ -432,6 +432,11 @@ $CTA
432
432
  end
433
433
  end
434
434
 
435
+ test "can sanitize a document" do
436
+ document = Govspeak::Document.new("<script>doBadThings();</script>")
437
+ assert_equal "doBadThings();", document.to_sanitized_html
438
+ end
439
+
435
440
  test "identifies a Govspeak document containing malicious HTML as invalid" do
436
441
  document = Govspeak::Document.new("<script>doBadThings();</script>")
437
442
  refute document.valid?
@@ -0,0 +1,30 @@
1
+ require "test_helper"
2
+
3
+ class HtmlSanitizerTest < Test::Unit::TestCase
4
+
5
+ test "disallow a script tag" do
6
+ html = "<script>alert('XSS')</script>"
7
+ assert_equal "alert('XSS')", Govspeak::HtmlSanitizer.new(html).sanitize
8
+ end
9
+
10
+ test "disallow a javascript protocol in an attribute" do
11
+ html = %q{<a href="javascript:alert(document.location);"
12
+ title="Title">an example</a>}
13
+ assert_equal "<a title=\"Title\">an example</a>", Govspeak::HtmlSanitizer.new(html).sanitize
14
+ end
15
+
16
+ test "disallow on* attributes" do
17
+ html = %q{<a href="/" onclick="alert('xss');">Link</a>}
18
+ assert_equal "<a href=\"/\">Link</a>", Govspeak::HtmlSanitizer.new(html).sanitize
19
+ end
20
+
21
+ test "allow non-JS HTML content" do
22
+ html = "<a href='foo'>"
23
+ assert_equal "<a href=\"foo\"></a>", Govspeak::HtmlSanitizer.new(html).sanitize
24
+ end
25
+
26
+ test "keep things that should be HTML entities" do
27
+ html = "Fortnum & Mason"
28
+ assert_equal "Fortnum &amp; Mason", Govspeak::HtmlSanitizer.new(html).sanitize
29
+ end
30
+ end
@@ -57,7 +57,7 @@ class HtmlValidatorTest < Test::Unit::TestCase
57
57
  end
58
58
  end
59
59
 
60
- test "disallow a script tags" do
60
+ test "disallow a script tag" do
61
61
  assert Govspeak::HtmlValidator.new("<script>alert('XSS')</script>").invalid?
62
62
  end
63
63
 
metadata CHANGED
@@ -2,7 +2,7 @@
2
2
  name: govspeak
3
3
  version: !ruby/object:Gem::Version
4
4
  prerelease:
5
- version: 1.1.0
5
+ version: 1.2.0
6
6
  platform: ruby
7
7
  authors:
8
8
  - Ben Griffiths
@@ -112,6 +112,7 @@ files:
112
112
  - README.md
113
113
  - Gemfile
114
114
  - Rakefile
115
+ - test/html_sanitizer_test.rb
115
116
  - test/html_validator_test.rb
116
117
  - test/govspeak_test_helper.rb
117
118
  - test/govspeak_test.rb
@@ -129,7 +130,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
129
130
  requirements:
130
131
  - - ">="
131
132
  - !ruby/object:Gem::Version
132
- hash: 2687403366774857492
133
+ hash: 2266013611251793811
133
134
  segments:
134
135
  - 0
135
136
  version: "0"
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
138
139
  requirements:
139
140
  - - ">="
140
141
  - !ruby/object:Gem::Version
141
- hash: 2687403366774857492
142
+ hash: 2266013611251793811
142
143
  segments:
143
144
  - 0
144
145
  version: "0"
@@ -150,6 +151,7 @@ signing_key:
150
151
  specification_version: 3
151
152
  summary: Markup language for single domain
152
153
  test_files:
154
+ - test/html_sanitizer_test.rb
153
155
  - test/html_validator_test.rb
154
156
  - test/govspeak_test_helper.rb
155
157
  - test/govspeak_test.rb