govspeak 3.5.2 → 3.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/lib/govspeak/html_sanitizer.rb +16 -1
  4. data/lib/govspeak/version.rb +1 -1
  5. data/test/govspeak_test.rb +3 -3
  6. data/test/html_sanitizer_test.rb +18 -0
  7. metadata +4 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 62bbf045a81a14edccdebbc6f9bfe8b16053fe83
4
- data.tar.gz: 51b63bd95386ba9a1409b8aeab3f9fed85dc169f
3
+ metadata.gz: 88204b81285c071614cae4cdbc7933647c408ec7
4
+ data.tar.gz: 4927a7e014000868d29574ef257eda8d3fadd012
5
5
  SHA512:
6
- metadata.gz: 144b044eaac74204158ab084b8aa65faa911b0f1f37aee17037950a3a6f89b0da67f2813e448bbeb435429db02fe15db0c087c9ad114d396643ea030ad7e98df
7
- data.tar.gz: 2bbad23f71d71361666a73fb59a93eea150134c5e3239c93ed9726e1c6894de96184ae88a2628b9f3201440d98411bc13486d4ddb298eb5a4510da74f1e1e1c6
6
+ metadata.gz: 220d392cd52c2ee77f44e3ba65af87a143b14706339c99ec13bbd32063c1933e3079f82512f2941a6720923a9e0449a100fd31ddf624fd2b2b6d30edbcdda3ed
7
+ data.tar.gz: 76327a9e3df12548d9edeafe83646102374044757dec3d98b1805dba514b897e0bbb56ab0a3fb992888936f05b6393da263ba6f0f8cc11fedd40ec348713e413
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 3.6.0
2
+
3
+ * Update minimum Kramdown version from 1.5.0 to 1.10.0 ([changelog](https://github.com/gettalong/kramdown/tree/2cd02dfacda041d3108a039e085f804645a9d538/doc/news))
4
+ * Allow table columns to be left, right or centre aligned using the [standard markdown pattern](http://kramdown.gettalong.org/quickref.html#tables) provided by Kramdown
5
+
1
6
  ## 3.5.2
2
7
 
3
8
  * Fix a couple of issues with the [header_extractor](https://github.com/alphagov/govspeak/blob/master/lib/govspeak/header_extractor.rb). The method now picks up headers nested inside `blocks`, and when ID's are [explicitly set](http://kramdown.gettalong.org/syntax.html#specifying-a-header-id). See [https://github.com/alphagov/govspeak/pull/66](https://github.com/alphagov/govspeak/pull/66) for more.
data/lib/govspeak/html_sanitizer.rb CHANGED
@@ -21,13 +21,26 @@ class Govspeak::HtmlSanitizer
21
21
  end
22
22
  end
23
23
 
24
+ class TableCellTextAlignWhitelister
25
+ def call(sanitize_context)
26
+ return unless ["td", "th"].include?(sanitize_context[:node_name])
27
+ node = sanitize_context[:node]
28
+
29
+ # Kramdown uses text-align to allow table cells to be aligned
30
+ # http://kramdown.gettalong.org/quickref.html#tables
31
+ unless node['style'].match(/^text-align:\s*(center|left|right)$/)
32
+ node.remove_attribute('style')
33
+ end
34
+ end
35
+ end
36
+
24
37
  def initialize(dirty_html, options = {})
25
38
  @dirty_html = dirty_html
26
39
  @allowed_image_hosts = options[:allowed_image_hosts]
27
40
  end
28
41
 
29
42
  def sanitize
30
- transformers = []
43
+ transformers = [TableCellTextAlignWhitelister.new]
31
44
  if @allowed_image_hosts && @allowed_image_hosts.any?
32
45
  transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
33
46
  end
@@ -45,6 +58,8 @@ class Govspeak::HtmlSanitizer
45
58
  attributes: {
46
59
  :all => Sanitize::Config::RELAXED[:attributes][:all] + [ "id", "class", "role", "aria-label" ],
47
60
  "a" => Sanitize::Config::RELAXED[:attributes]["a"] + [ "rel" ],
61
+ "th" => Sanitize::Config::RELAXED[:attributes]["th"] + [ "style" ],
62
+ "td" => Sanitize::Config::RELAXED[:attributes]["td"] + [ "style" ],
48
63
  },
49
64
  elements: Sanitize::Config::RELAXED[:elements] + [ "div", "span", "aside" ],
50
65
  })
data/lib/govspeak/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Govspeak
2
- VERSION = "3.5.2"
2
+ VERSION = "3.6.0"
3
3
  end
data/test/govspeak_test.rb CHANGED
@@ -20,17 +20,17 @@ class GovspeakTest < Minitest::Test
20
20
 
21
21
  test "simple block extension" do
22
22
  rendered = Govspeak::Document.new("this \n{::reverse}\n*is*\n{:/reverse}\n markdown").to_html
23
- assert_equal "<p>this </p>\n\n<p><em>si</em></p>\n\n<p>markdown</p>\n", rendered
23
+ assert_equal "<p>this</p>\n\n<p><em>si</em></p>\n\n<p>markdown</p>\n", rendered
24
24
  end
25
25
 
26
26
  test "highlight-answer block extension" do
27
27
  rendered = Govspeak::Document.new("this \n{::highlight-answer}Lead in to *BIG TEXT*\n{:/highlight-answer}").to_html
28
- assert_equal %Q{<p>this </p>\n\n<div class="highlight-answer">\n<p>Lead in to <em>BIG TEXT</em></p>\n</div>\n}, rendered
28
+ assert_equal %Q{<p>this</p>\n\n<div class="highlight-answer">\n<p>Lead in to <em>BIG TEXT</em></p>\n</div>\n}, rendered
29
29
  end
30
30
 
31
31
  test "stat-headline block extension" do
32
32
  rendered = Govspeak::Document.new("this \n{stat-headline}*13.8bn* Age of the universe in years{/stat-headline}").to_html
33
- assert_equal %Q{<p>this </p>\n\n<aside class="stat-headline">\n<p><em>13.8bn</em> Age of the universe in years</p>\n</aside>\n}, rendered
33
+ assert_equal %Q{<p>this</p>\n\n<aside class="stat-headline">\n<p><em>13.8bn</em> Age of the universe in years</p>\n</aside>\n}, rendered
34
34
  end
35
35
 
36
36
  test "extracts headers with text, level and generated id" do
data/test/html_sanitizer_test.rb CHANGED
@@ -43,4 +43,22 @@ class HtmlSanitizerTest < Minitest::Test
43
43
  html = "<img src='http://example.com/image.jgp'>"
44
44
  assert_equal "", Govspeak::HtmlSanitizer.new(html).sanitize_without_images
45
45
  end
46
+
47
+ test "allows valid text-align properties on the style attribute for table cells and table headings" do
48
+ ["left", "right", "center"].each do |alignment|
49
+ html = "<td style=\"text-align: #{alignment}\">thing</td>"
50
+ assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
51
+ end
52
+
53
+ [
54
+ "width: 10000px",
55
+ "text-align: middle",
56
+ "text-align: left; width: 10px",
57
+ "background-image: url(javascript:alert('XSS'))",
58
+ "expression(alert('XSS'));"
59
+ ].each do |style|
60
+ html = "<td style=\"#{style}\">thing</td>"
61
+ assert_equal '<td>thing</td>', Govspeak::HtmlSanitizer.new(html).sanitize
62
+ end
63
+ end
46
64
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govspeak
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.5.2
4
+ version: 3.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Ben Griffiths
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-01-12 00:00:00.000000000 Z
12
+ date: 2016-05-03 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: kramdown
@@ -17,14 +17,14 @@ dependencies:
17
17
  requirements:
18
18
  - - "~>"
19
19
  - !ruby/object:Gem::Version
20
- version: 1.5.0
20
+ version: 1.10.0
21
21
  type: :runtime
22
22
  prerelease: false
23
23
  version_requirements: !ruby/object:Gem::Requirement
24
24
  requirements:
25
25
  - - "~>"
26
26
  - !ruby/object:Gem::Version
27
- version: 1.5.0
27
+ version: 1.10.0
28
28
  - !ruby/object:Gem::Dependency
29
29
  name: htmlentities
30
30
  requirement: !ruby/object:Gem::Requirement