govspeak 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/govspeak.rb +4 -0
- data/lib/govspeak/version.rb +1 -1
- data/test/govspeak_test.rb +5 -0
- data/test/html_sanitizer_test.rb +30 -0
- data/test/html_validator_test.rb +1 -1
- metadata +5 -3
data/lib/govspeak.rb
CHANGED
data/lib/govspeak/version.rb
CHANGED
data/test/govspeak_test.rb
CHANGED
|
@@ -432,6 +432,11 @@ $CTA
|
|
|
432
432
|
end
|
|
433
433
|
end
|
|
434
434
|
|
|
435
|
+
test "can sanitize a document" do
|
|
436
|
+
document = Govspeak::Document.new("<script>doBadThings();</script>")
|
|
437
|
+
assert_equal "doBadThings();", document.to_sanitized_html
|
|
438
|
+
end
|
|
439
|
+
|
|
435
440
|
test "identifies a Govspeak document containing malicious HTML as invalid" do
|
|
436
441
|
document = Govspeak::Document.new("<script>doBadThings();</script>")
|
|
437
442
|
refute document.valid?
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
require "test_helper"
|
|
2
|
+
|
|
3
|
+
class HtmlSanitizerTest < Test::Unit::TestCase
|
|
4
|
+
|
|
5
|
+
test "disallow a script tag" do
|
|
6
|
+
html = "<script>alert('XSS')</script>"
|
|
7
|
+
assert_equal "alert('XSS')", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
test "disallow a javascript protocol in an attribute" do
|
|
11
|
+
html = %q{<a href="javascript:alert(document.location);"
|
|
12
|
+
title="Title">an example</a>}
|
|
13
|
+
assert_equal "<a title=\"Title\">an example</a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
test "disallow on* attributes" do
|
|
17
|
+
html = %q{<a href="/" onclick="alert('xss');">Link</a>}
|
|
18
|
+
assert_equal "<a href=\"/\">Link</a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
test "allow non-JS HTML content" do
|
|
22
|
+
html = "<a href='foo'>"
|
|
23
|
+
assert_equal "<a href=\"foo\"></a>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
test "keep things that should be HTML entities" do
|
|
27
|
+
html = "Fortnum & Mason"
|
|
28
|
+
assert_equal "Fortnum & Mason", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
29
|
+
end
|
|
30
|
+
end
|
data/test/html_validator_test.rb
CHANGED
metadata
CHANGED
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
name: govspeak
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease:
|
|
5
|
-
version: 1.
|
|
5
|
+
version: 1.2.0
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- Ben Griffiths
|
|
@@ -112,6 +112,7 @@ files:
|
|
|
112
112
|
- README.md
|
|
113
113
|
- Gemfile
|
|
114
114
|
- Rakefile
|
|
115
|
+
- test/html_sanitizer_test.rb
|
|
115
116
|
- test/html_validator_test.rb
|
|
116
117
|
- test/govspeak_test_helper.rb
|
|
117
118
|
- test/govspeak_test.rb
|
|
@@ -129,7 +130,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
129
130
|
requirements:
|
|
130
131
|
- - ">="
|
|
131
132
|
- !ruby/object:Gem::Version
|
|
132
|
-
hash:
|
|
133
|
+
hash: 2266013611251793811
|
|
133
134
|
segments:
|
|
134
135
|
- 0
|
|
135
136
|
version: "0"
|
|
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
138
139
|
requirements:
|
|
139
140
|
- - ">="
|
|
140
141
|
- !ruby/object:Gem::Version
|
|
141
|
-
hash:
|
|
142
|
+
hash: 2266013611251793811
|
|
142
143
|
segments:
|
|
143
144
|
- 0
|
|
144
145
|
version: "0"
|
|
@@ -150,6 +151,7 @@ signing_key:
|
|
|
150
151
|
specification_version: 3
|
|
151
152
|
summary: Markup language for single domain
|
|
152
153
|
test_files:
|
|
154
|
+
- test/html_sanitizer_test.rb
|
|
153
155
|
- test/html_validator_test.rb
|
|
154
156
|
- test/govspeak_test_helper.rb
|
|
155
157
|
- test/govspeak_test.rb
|