govspeak 6.4.0 → 6.5.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbff4078955867159e914ac1dd26310ab9295a0618a58529b42b64c7e55399fd
-  data.tar.gz: ce83e999fab5cec2919c21b4561cf06a26c42056dde7c1740b04ca7b1df9d1df
+  metadata.gz: a09b3928e9718aa64cd781681dbc8ac51d8534ddc27b26f54e8416b21f60e501
+  data.tar.gz: f8b6da3c1bf3c3b4c7792263853837886b42f7dc6abe6346d81289695ea7986d
 SHA512:
-  metadata.gz: 1972d6f7430d74f570dd23e9e529e581460fb02b535c834abada9c1c14b4d59914ddfeedec8c6209e6992a303c44211c0759fd9592ab5e9be42b776824d5efcb
-  data.tar.gz: 139c744c3c51456f6ceac2b75f1cba186cdca54cf518b06b36768bd675560e00f9c95306228b076adadd6f08c6c2ad505447df42e5cce52095fc874bc4eeff21
+  metadata.gz: 9de09348513cfd10e76a9960bfe8012213a99447244cf9d89a2e3da8cb18f93b28e8b63dd63304de06c51a6e3b9e82bc5b1f2de43ff531dfb23f4832d1a18e0b
+  data.tar.gz: 0b464f824b1ff7f8ee77619d2dd1195a22c8777b79b675d9e7fbb1b88011075552f496b294e26d9b65908f2a26031de30ff93c1a12ba3a9743786a4219cfb2de

data/CHANGELOG.md

@@ -1,8 +1,30 @@
+## 6.5.4
+
+* Require Sanitize to be at least 5.2.1 due to https://nvd.nist.gov/vuln/detail/CVE-2020-4054
+
+## 6.5.3
+
+* Use button component for buttons (PR#176)
+
+## 6.5.2
+
+* Allow `data` attributes on `div` tags (PR#173)
+
+## 6.5.1
+
+* Change unicode testing characters after external gem change
+* Move from govuk-lint to rubocop-govuk
+* Allow version 6 of actionview
+
+## 6.5.0
+
+* Allow data attributes on links
+
 ## 6.4.0
 
- * Add table heading syntax that allows a table cell outside of `thead` to be marked as a table heading with a scope of row. (PR#161)
+* Add table heading syntax that allows a table cell outside of `thead` to be marked as a table heading with a scope of row. (PR#161)
 
- ## 6.3.0
+## 6.3.0
 
 * Unicode characters forbidden in HTML are stripped from input
 * Validation is now more lenient for HTML input

data/README.md

@@ -619,8 +619,7 @@ will output
 
 An accessible way to add button links into content, that can also allow cross domain tracking with [Google Analytics](https://support.google.com/analytics/answer/7372977?hl=en)
 
-This button component is [extended from static](http://govuk-static.herokuapp.com/component-guide/button) for [use in govspeak](http://govuk-static.herokuapp.com/component-guide/govspeak/button)
-Note: Ideally we'd use the original component directly but this currently isnt possible
+This button component uses the component from the [components gem](https://components.publishing.service.gov.uk/component-guide/button) for use in govspeak.
 
 You must use the [link](https://daringfireball.net/projects/markdown/syntax#link) syntax within the button tags.
 
@@ -635,7 +634,7 @@ To get the most basic button.
 which outputs
 
 ```html
-<a role="button" class="button" href="https://gov.uk/random">
+<a role="button" class="gem-c-button govuk-button" href="https://gov.uk/random">
   Continue
 </a>
 ```
@@ -649,8 +648,9 @@ To turn a button into a ['Start now' button](https://www.gov.uk/service-manual/d
 which outputs
 
 ```html
-<a role="button" class="button button-start" href="https://gov.uk/random">
+<a role="button" class="gem-c-button govuk-button govuk-button--start" href="https://gov.uk/random">
   Start Now
+  <svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="17.5" height="19" viewBox="0 0 33 40" role="presentation" focusable="false"><path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z"></path></svg>
 </a>
 ```
 
@@ -667,12 +667,13 @@ which outputs
 ```html
 <a
   role="button"
-  class="button button-start"
+  class="gem-c-button govuk-button govuk-button--start"
   href="https://example.com/external-service/start-now"
   data-module="cross-domain-tracking"
   data-tracking-code="UA-XXXXXX-Y"
   data-tracking-name="govspeakButtonTracker"
 >
   Start Now
+  <svg class="govuk-button__start-icon" xmlns="http://www.w3.org/2000/svg" width="17.5" height="19" viewBox="0 0 33 40" role="presentation" focusable="false"><path fill="currentColor" d="M0 0h13l20 20-20 20H0l20-20z"></path></svg>
 </a>
 ```

data/Rakefile

@@ -7,7 +7,7 @@ Bundler::GemHelper.install_tasks
 desc "Run basic tests"
 Rake::TestTask.new("test") { |t|
   t.libs << "test"
-  t.pattern = 'test/*_test.rb'
+  t.pattern = "test/*_test.rb"
   t.verbose = true
   t.warning = true
 }

data/lib/govspeak.rb

@@ -1,32 +1,32 @@
-require 'active_support/core_ext/hash'
-require 'active_support/core_ext/array'
-require 'erb'
-require 'govuk_publishing_components'
-require 'htmlentities'
-require 'kramdown'
-require 'kramdown/parser/govuk'
-require 'nokogiri'
-require 'nokogumbo'
-require 'rinku'
-require 'sanitize'
-require 'govspeak/header_extractor'
-require 'govspeak/structured_header_extractor'
-require 'govspeak/html_validator'
-require 'govspeak/html_sanitizer'
-require 'govspeak/kramdown_overrides'
-require 'govspeak/blockquote_extra_quote_remover'
-require 'govspeak/post_processor'
-require 'govspeak/link_extractor'
-require 'govspeak/template_renderer'
-require 'govspeak/presenters/attachment_presenter'
-require 'govspeak/presenters/contact_presenter'
-require 'govspeak/presenters/h_card_presenter'
-require 'govspeak/presenters/image_presenter'
-require 'govspeak/presenters/attachment_image_presenter'
+require "active_support/core_ext/hash"
+require "active_support/core_ext/array"
+require "erb"
+require "govuk_publishing_components"
+require "htmlentities"
+require "kramdown"
+require "kramdown/parser/govuk"
+require "nokogiri"
+require "nokogumbo"
+require "rinku"
+require "sanitize"
+require "govspeak/header_extractor"
+require "govspeak/structured_header_extractor"
+require "govspeak/html_validator"
+require "govspeak/html_sanitizer"
+require "govspeak/kramdown_overrides"
+require "govspeak/blockquote_extra_quote_remover"
+require "govspeak/post_processor"
+require "govspeak/link_extractor"
+require "govspeak/template_renderer"
+require "govspeak/presenters/attachment_presenter"
+require "govspeak/presenters/contact_presenter"
+require "govspeak/presenters/h_card_presenter"
+require "govspeak/presenters/image_presenter"
+require "govspeak/presenters/attachment_image_presenter"
 
 module Govspeak
   def self.root
-    File.expand_path('..', File.dirname(__FILE__))
+    File.expand_path("..", File.dirname(__FILE__))
   end
 
   class Document
@@ -44,8 +44,8 @@ module Govspeak
       new(source, options).to_html
     end
 
-    def self.extensions
-      @extensions
+    class << self
+      attr_reader :extensions
     end
 
     def initialize(source, options = {})
@@ -118,7 +118,7 @@ module Govspeak
     def remove_forbidden_characters(source)
       # These are characters that are not deemed not suitable for
       # markup: https://www.w3.org/TR/unicode-xml/#Charlist
-      source.gsub(Sanitize::REGEX_UNSUITABLE_CHARS, '')
+      source.gsub(Sanitize::REGEX_UNSUITABLE_CHARS, "")
     end
 
     def self.extension(title, regexp = nil, &block)
@@ -147,7 +147,7 @@ module Govspeak
       parser.new(body.strip).to_html.sub(/^<p>(.*)<\/p>$/, "<p><strong>\\1</strong></p>")
     end
 
-    extension('button', %r{
+    extension("button", %r{
       (?:\r|\n|^) # non-capturing match to make sure start of line and linebreak
       {button(.*?)} # match opening bracket and capture attributes
         \s* # any whitespace between opening bracket and link
@@ -161,10 +161,10 @@ module Govspeak
       {\/button} # match ending bracket
       (?:\r|\n|$) # non-capturing match to make sure end of line and linebreak
     }x) { |attributes, text, href|
-      button_classes = "button"
-      button_classes << " button-start" if attributes =~ /start/
+      button_classes = "govuk-button"
       /cross-domain-tracking:(?<cross_domain_tracking>.[^\s*]+)/ =~ attributes
       data_attribute = ""
+      data_attribute << " data-start='true'" if attributes =~ /start/
       if cross_domain_tracking
         data_attribute << " data-module='cross-domain-tracking'"
         data_attribute << " data-tracking-code='#{cross_domain_tracking.strip}'"
@@ -176,51 +176,51 @@ module Govspeak
       %{\n<a role="button" class="#{button_classes}" href="#{href}" #{data_attribute}>#{text}</a>\n}
     }
 
-    extension('highlight-answer') { |body|
+    extension("highlight-answer") { |body|
       %{\n\n<div class="highlight-answer">
 #{Govspeak::Document.new(body.strip).to_html}</div>\n}
     }
 
-    extension('stat-headline', %r${stat-headline}(.*?){/stat-headline}$m) { |body|
+    extension("stat-headline", %r${stat-headline}(.*?){/stat-headline}$m) { |body|
       %{\n\n<aside class="stat-headline">
 #{Govspeak::Document.new(body.strip).to_html}</aside>\n}
     }
 
     # FIXME: these surrounded_by arguments look dodgy
-    extension('external', surrounded_by("x[", ")x")) { |body|
+    extension("external", surrounded_by("x[", ")x")) { |body|
       Kramdown::Document.new("[#{body.strip}){:rel='external'}").to_html
     }
 
-    extension('informational', surrounded_by("^")) { |body|
+    extension("informational", surrounded_by("^")) { |body|
       %{\n\n<div role="note" aria-label="Information" class="application-notice info-notice">
 #{Govspeak::Document.new(body.strip).to_html}</div>\n}
     }
 
-    extension('important', surrounded_by("@")) { |body|
+    extension("important", surrounded_by("@")) { |body|
       %{\n\n<div role="note" aria-label="Important" class="advisory">#{insert_strong_inside_p(body)}</div>\n}
     }
 
-    extension('helpful', surrounded_by("%")) { |body|
+    extension("helpful", surrounded_by("%")) { |body|
       %{\n\n<div role="note" aria-label="Warning" class="application-notice help-notice">\n#{Govspeak::Document.new(body.strip).to_html}</div>\n}
     }
 
-    extension('barchart', /{barchart(.*?)}/) do |captures|
-      stacked = '.mc-stacked' if captures.include? 'stacked'
-      compact = '.compact' if captures.include? 'compact'
-      negative = '.mc-negative' if captures.include? 'negative'
+    extension("barchart", /{barchart(.*?)}/) do |captures|
+      stacked = ".mc-stacked" if captures.include? "stacked"
+      compact = ".compact" if captures.include? "compact"
+      negative = ".mc-negative" if captures.include? "negative"
 
       [
-       '{:',
-       '.js-barchart-table',
+       "{:",
+       ".js-barchart-table",
        stacked,
        compact,
        negative,
-       '.mc-auto-outdent',
-       '}'
-      ].join(' ')
+       ".mc-auto-outdent",
+       "}",
+      ].join(" ")
     end
 
-    extension('attached-image', /^!!([0-9]+)/) do |image_number|
+    extension("attached-image", /^!!([0-9]+)/) do |image_number|
       image = images[image_number.to_i - 1]
       next "" unless image
 
@@ -228,7 +228,7 @@ module Govspeak
     end
 
     # DEPRECATED: use 'AttachmentLink:attachment-id' instead
-    extension('embed attachment inline', /\[embed:attachments:inline:\s*(.*?)\s*\]/) do |content_id|
+    extension("embed attachment inline", /\[embed:attachments:inline:\s*(.*?)\s*\]/) do |content_id|
       attachment = attachments.detect { |a| a[:content_id] == content_id }
       next "" unless attachment
 
@@ -243,7 +243,7 @@ module Govspeak
     end
 
     # DEPRECATED: use 'Image:image-id' instead
-    extension('attachment image', /\[embed:attachments:image:\s*(.*?)\s*\]/) do |content_id|
+    extension("attachment image", /\[embed:attachments:image:\s*(.*?)\s*\]/) do |content_id|
       attachment = attachments.detect { |a| a[:content_id] == content_id }
       next "" unless attachment
 
@@ -266,29 +266,29 @@ module Govspeak
       lines << %{<figure#{id_attr} class="image embedded">}
       lines << %{<div class="img"><img src="#{encode(image.url)}" alt="#{encode(image.alt_text)}"></div>}
       lines << image.figcaption_html if image.figcaption?
-      lines << '</figure>'
+      lines << "</figure>"
       lines.join
     end
 
-    wrap_with_div('summary', '$!')
-    wrap_with_div('form-download', '$D')
-    wrap_with_div('contact', '$C')
-    wrap_with_div('place', '$P', Govspeak::Document)
-    wrap_with_div('information', '$I', Govspeak::Document)
-    wrap_with_div('additional-information', '$AI')
-    wrap_with_div('example', '$E', Govspeak::Document)
-    wrap_with_div('call-to-action', '$CTA', Govspeak::Document)
+    wrap_with_div("summary", "$!")
+    wrap_with_div("form-download", "$D")
+    wrap_with_div("contact", "$C")
+    wrap_with_div("place", "$P", Govspeak::Document)
+    wrap_with_div("information", "$I", Govspeak::Document)
+    wrap_with_div("additional-information", "$AI")
+    wrap_with_div("example", "$E", Govspeak::Document)
+    wrap_with_div("call-to-action", "$CTA", Govspeak::Document)
 
-    extension('address', surrounded_by("$A")) { |body|
+    extension("address", surrounded_by("$A")) { |body|
       %{\n<div class="address"><div class="adr org fn"><p>\n#{body.sub("\n", '').gsub("\n", '<br />')}\n</p></div></div>\n}
     }
 
     extension("legislative list", /#{NEW_PARAGRAPH_LOOKBEHIND}\$LegislativeList\s*$(.*?)\$EndLegislativeList/m) do |body|
       Govspeak::KramdownOverrides.with_kramdown_ordered_lists_disabled do
         Kramdown::Document.new(body.strip).to_html.tap do |doc|
-          doc.gsub!('<ul>', '<ol>')
-          doc.gsub!('</ul>', '</ol>')
-          doc.sub!('<ol>', '<ol class="legislative-list">')
+          doc.gsub!("<ul>", "<ol>")
+          doc.gsub!("</ul>", "</ol>")
+          doc.sub!("<ol>", '<ol class="legislative-list">')
         end
       end
     end
@@ -301,12 +301,12 @@ module Govspeak
     end
 
     def self.devolved_options
-      { 'scotland' => 'Scotland',
-        'england' => 'England',
-        'england-wales' => 'England and Wales',
-        'northern-ireland' => 'Northern Ireland',
-        'wales' => 'Wales',
-        'london' => 'London' }
+      { "scotland" => "Scotland",
+        "england" => "England",
+        "england-wales" => "England and Wales",
+        "northern-ireland" => "Northern Ireland",
+        "wales" => "Wales",
+        "london" => "London" }
     end
 
     devolved_options.each do |k, v|
@@ -333,7 +333,7 @@ module Govspeak
       end
     end
 
-    extension('embed link', /\[embed:link:\s*(.*?)\s*\]/) do |content_id|
+    extension("embed link", /\[embed:link:\s*(.*?)\s*\]/) do |content_id|
       link = links.detect { |l| l[:content_id] == content_id }
       next "" unless link
 
@@ -344,28 +344,28 @@ module Govspeak
       end
     end
 
-    extension('Contact', /\[Contact:\s*(.*?)\s*\]/) do |content_id|
+    extension("Contact", /\[Contact:\s*(.*?)\s*\]/) do |content_id|
       contact = contacts.detect { |c| c[:content_id] == content_id }
       next "" unless contact
 
-      renderer = TemplateRenderer.new('contact.html.erb', locale)
+      renderer = TemplateRenderer.new("contact.html.erb", locale)
       renderer.render(contact: ContactPresenter.new(contact))
     end
 
-    extension('Image', /#{NEW_PARAGRAPH_LOOKBEHIND}\[Image:\s*(.*?)\s*\]/) do |image_id|
+    extension("Image", /#{NEW_PARAGRAPH_LOOKBEHIND}\[Image:\s*(.*?)\s*\]/) do |image_id|
       image = images.detect { |c| c.is_a?(Hash) && c[:id] == image_id }
       next "" unless image
 
       render_image(ImagePresenter.new(image))
     end
 
-    extension('Attachment', /#{NEW_PARAGRAPH_LOOKBEHIND}\[Attachment:\s*(.*?)\s*\]/) do |attachment_id|
+    extension("Attachment", /#{NEW_PARAGRAPH_LOOKBEHIND}\[Attachment:\s*(.*?)\s*\]/) do |attachment_id|
       next "" if attachments.none? { |a| a[:id] == attachment_id }
 
       %{<govspeak-embed-attachment id="#{attachment_id}"></govspeak-embed-attachment>}
     end
 
-    extension('AttachmentLink', /\[AttachmentLink:\s*(.*?)\s*\]/) do |attachment_id|
+    extension("AttachmentLink", /\[AttachmentLink:\s*(.*?)\s*\]/) do |attachment_id|
       next "" if attachments.none? { |a| a[:id] == attachment_id }
 
       %{<govspeak-embed-attachment-link id="#{attachment_id}"></govspeak-embed-attachment-link>}
@@ -384,5 +384,5 @@ module Govspeak
 end
 
 I18n.load_path.unshift(
-  *Dir.glob(File.expand_path('locales/*.yml', Govspeak.root))
+  *Dir.glob(File.expand_path("locales/*.yml", Govspeak.root)),
 )

data/lib/govspeak/header_extractor.rb

@@ -20,7 +20,7 @@ module Govspeak
   private
 
     def id(element)
-      element.attr.fetch('id', generate_id(element.options[:raw_text]))
+      element.attr.fetch("id", generate_id(element.options[:raw_text]))
     end
 
     def build_header(element)

data/lib/govspeak/html_sanitizer.rb

@@ -1,4 +1,4 @@
-require 'addressable/uri'
+require "addressable/uri"
 
 class Govspeak::HtmlSanitizer
   class ImageSourceWhitelister
@@ -10,7 +10,7 @@ class Govspeak::HtmlSanitizer
       return unless sanitize_context[:node_name] == "img"
 
       node = sanitize_context[:node]
-      image_uri = Addressable::URI.parse(node['src'])
+      image_uri = Addressable::URI.parse(node["src"])
       unless image_uri.relative? || @allowed_image_hosts.include?(image_uri.host)
         node.unlink # the node isn't sanitary. Remove it from the document.
       end
@@ -25,8 +25,8 @@ class Govspeak::HtmlSanitizer
 
       # Kramdown uses text-align to allow table cells to be aligned
       # http://kramdown.gettalong.org/quickref.html#tables
-      if invalid_style_attribute?(node['style'])
-        node.remove_attribute('style')
+      if invalid_style_attribute?(node["style"])
+        node.remove_attribute("style")
       end
     end
 
@@ -48,25 +48,20 @@ class Govspeak::HtmlSanitizer
     Sanitize.clean(@dirty_html, Sanitize::Config.merge(sanitize_config, transformers: transformers))
   end
 
-  def button_sanitize_config
-    %w[
-      data-module
-      data-tracking-code
-      data-tracking-name
-    ]
-  end
-
   def sanitize_config
     Sanitize::Config.merge(
       Sanitize::Config::RELAXED,
-      elements: Sanitize::Config::RELAXED[:elements] + %w[govspeak-embed-attachment govspeak-embed-attachment-link],
+      elements: Sanitize::Config::RELAXED[:elements] + %w[govspeak-embed-attachment govspeak-embed-attachment-link svg path],
       attributes: {
         :all => Sanitize::Config::RELAXED[:attributes][:all] + %w[role aria-label],
-        "a"  => Sanitize::Config::RELAXED[:attributes]["a"] + button_sanitize_config,
+        "a"  => Sanitize::Config::RELAXED[:attributes]["a"] + [:data],
+        "svg" => Sanitize::Config::RELAXED[:attributes][:all] + %w[xmlns width height viewbox focusable],
+        "path" => Sanitize::Config::RELAXED[:attributes][:all] + %w[fill d],
+        "div" => [:data],
         "th"  => Sanitize::Config::RELAXED[:attributes]["th"] + %w[style],
         "td"  => Sanitize::Config::RELAXED[:attributes]["td"] + %w[style],
         "govspeak-embed-attachment" => %w[content-id],
-      }
+      },
     )
   end
 end