govspeak 6.8.0 → 6.8.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4de0ad0d505ecb467987eb27087a076411a0bd6de2fe535eb058b0550d17d09d
-  data.tar.gz: 5b1cba9b7ecc6bc47d1f1646e0dfbb3ff3c2a5cee04a41079c8bb419b0b21610
+  metadata.gz: ca0f29b1dceee03154a3f7f535e27c5bf7ebf5ae5e42845919c7bfea3eb2e132
+  data.tar.gz: 428ff21aa80eaccd670ee643aed80d3081148417161f1a1bf10b78742e01c6b4
 SHA512:
-  metadata.gz: def9659344fe5ed585999686924483c0c8dbc6a130820b86fa427d3eee31b635f2ac64efd0e15a2e42d5102e0b709f15f13c5d70f9d76c90757241bb6734bd23
-  data.tar.gz: 6ff2c9ae06337d1b8030cf823c8dab8983a99c0fab7abe7673e7c917347ff91be94834c6b00601397ecef2ada1837e58c69cf21419a872571e218bc55e64d695
+  metadata.gz: cef697b4026db708378ede49588032d2b95e603a4f4ce87053b8c47ce119ff94b6ad5363e4ec7079d914941c48db0fb6d93ed3b75fff1225459957ed3d24736a
+  data.tar.gz: e78af326c264e4d4d92dedebb23a8db4a08927e55101f435a4ebe4714142e5432262bf1b1ce45553e83f6bb969af859ee4bcba7388a62fc63c987cc83f86ad99

data/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 6.8.3
+
+* Require Kramdown minimum version of 2.3.1 to avoid CVE-2021-28834 [#246](https://github.com/alphagov/govspeak/pull/246)
+
+## 6.8.2
+
+* Fix footnote numbering [#239](https://github.com/alphagov/govspeak/pull/239)
+
+## 6.8.1
+
+* Fix a bug which resulted in validation errors on 'Start Button' elements [#237](https://github.com/alphagov/govspeak/pull/237)
+
 ## 6.8.0
 
 * Drop support for Ruby 2.6 which reaches End of Life (EOL) on 31/03/2022

data/lib/govspeak/html_sanitizer.rb

@@ -46,7 +46,17 @@ class Govspeak::HtmlSanitizer
       transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
     end
 
-    Sanitize.clean(@dirty_html, Sanitize::Config.merge(sanitize_config(allowed_elements: allowed_elements), transformers: transformers))
+    # It would be cleaner to move this `transformers` key into the `sanitize_config` method rather
+    # than having to use Sanitize::Config.merge() twice in succession. However, `sanitize_config`
+    # is a public method and it looks like other projects depend on it behaving the way it
+    # currently does – i.e. to return Sanitize config without any transformers.
+    # e.g. https://github.com/alphagov/hmrc-manuals-api/blob/4a83f78d0bb839520155623fd9b63b3b12a3b13a/app/validators/no_dangerous_html_in_text_fields_validator.rb#L44
+    config_with_transformers = Sanitize::Config.merge(
+      sanitize_config(allowed_elements: allowed_elements),
+      transformers: transformers,
+    )
+
+    Sanitize.clean(@dirty_html, config_with_transformers)
   end
 
   def sanitize_config(allowed_elements: [])

data/lib/govspeak/html_validator.rb

@@ -1,9 +1,9 @@
 class Govspeak::HtmlValidator
   attr_reader :govspeak_string
 
-  def initialize(govspeak_string, sanitization_options = {})
+  def initialize(govspeak_string, options = {})
     @govspeak_string = govspeak_string.dup.force_encoding(Encoding::UTF_8)
-    @sanitization_options = sanitization_options
+    @allowed_image_hosts = options[:allowed_image_hosts]
   end
 
   def invalid?
@@ -11,17 +11,23 @@ class Govspeak::HtmlValidator
   end
 
   def valid?
-    dirty_html = govspeak_to_html
-    clean_html = Govspeak::HtmlSanitizer.new(dirty_html, @sanitization_options).sanitize
+    dirty_html = govspeak_to_html(sanitize: false)
+    clean_html = govspeak_to_html(sanitize: true)
     normalise_html(dirty_html) == normalise_html(clean_html)
   end
 
+private
+
   # Make whitespace in html tags consistent
   def normalise_html(html)
     Nokogiri::HTML5.fragment(html).to_s
   end
 
-  def govspeak_to_html
-    Govspeak::Document.new(govspeak_string, sanitize: false).to_html
+  def govspeak_to_html(sanitize:)
+    Govspeak::Document.new(
+      govspeak_string,
+      sanitize: sanitize,
+      allowed_image_hosts: @allowed_image_hosts,
+    ).to_html
   end
 end

data/lib/govspeak/version.rb

@@ -1,3 +1,3 @@
 module Govspeak
-  VERSION = "6.8.0".freeze
+  VERSION = "6.8.3".freeze
 end

data/lib/govspeak.rb

@@ -54,6 +54,7 @@ module Govspeak
 
       @images = options.delete(:images) || []
       @allowed_elements = options.delete(:allowed_elements) || []
+      @allowed_image_hosts = options.delete(:allowed_image_hosts) || []
       @attachments = Array.wrap(options.delete(:attachments))
       @links = Array.wrap(options.delete(:links))
       @contacts = Array.wrap(options.delete(:contacts))
@@ -69,7 +70,8 @@ module Govspeak
     def to_html
       @to_html ||= begin
         html = if @options[:sanitize]
-                 HtmlSanitizer.new(kramdown_doc.to_html).sanitize(allowed_elements: @allowed_elements)
+                 HtmlSanitizer.new(kramdown_doc.to_html, allowed_image_hosts: @allowed_image_hosts)
+                              .sanitize(allowed_elements: @allowed_elements)
                else
                  kramdown_doc.to_html
                end
@@ -136,7 +138,7 @@ module Govspeak
     def footnote_definitions(source)
       is_legislative_list = source.scan(/\$LegislativeList.*?\[\^\d\]*.*?\$EndLegislativeList/m).size.positive?
       is_cta = source.scan(/\$CTA.*?\[\^\d\]*.*?\$CTA/m).size.positive?
-      footnotes = source.scan(/\[\^(\d+)\]:(.*)/)
+      footnotes = source.scan(/^\s*\[\^(\d+)\]:(.*)/)
       @acronyms = source.scan(/(?<=\*)\[(.*)\]:(.*)/)
       if (is_legislative_list || is_cta) && footnotes.size.positive?
         list_items = footnotes.map do |footnote|

data/test/govspeak_test.rb

@@ -1048,6 +1048,48 @@ Teston
     )
   end
 
+  test_given_govspeak "
+    $LegislativeList
+    1.  some text[^1]:
+    $EndLegislativeList
+    [^1]: footnote text
+  " do
+    assert_html_output %(
+      <p>1.  some text<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">[footnote 1]</a></sup>:</p>
+
+      <div class="footnotes" role="doc-endnotes">
+        <ol>
+          <li id="fn:1" role="doc-endnote">
+        <p>
+          footnote text<a href="#fnref:1" class="reversefootnote" role="doc-backlink" aria-label="go to where this is referenced">↩</a>
+        </p>
+      </li>
+        </ol>
+      </div>
+    )
+  end
+
+  test_given_govspeak "
+    $LegislativeList
+    1.  some text[^1]: extra
+    $EndLegislativeList
+    [^1]: footnote text
+    " do
+      assert_html_output %(
+      <p>1.  some text<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">[footnote 1]</a></sup>: extra</p>
+
+      <div class="footnotes" role="doc-endnotes">
+        <ol>
+          <li id="fn:1" role="doc-endnote">
+        <p>
+          footnote text<a href="#fnref:1" class="reversefootnote" role="doc-backlink" aria-label="go to where this is referenced">↩</a>
+        </p>
+      </li>
+        </ol>
+      </div>
+    )
+    end
+
   # FIXME: this code is buggy and replaces abbreviations in HTML tags - removing the functionality for now
   # test_given_govspeak "
   #   $LegislativeList

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govspeak
 version: !ruby/object:Gem::Version
-  version: 6.8.0
+  version: 6.8.3
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-17 00:00:00.000000000 Z
+date: 2022-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionview
@@ -92,14 +92,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: 2.3.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.3.0
+        version: 2.3.1
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -190,14 +190,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.3.0
+        version: 4.5.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.3.0
+        version: 4.5.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -327,29 +327,29 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.3.16
 signing_key: 
 specification_version: 4
 summary: Markup language for single domain
 test_files:
-- test/govspeak_test_helper.rb
+- test/govspeak_attachment_link_test.rb
+- test/test_helper.rb
+- test/govspeak_button_test.rb
+- test/govspeak_footnote_test.rb
+- test/govspeak_images_test.rb
+- test/govspeak_images_bang_test.rb
 - test/blockquote_extra_quote_remover_test.rb
+- test/html_sanitizer_test.rb
+- test/govspeak_table_with_headers_test.rb
+- test/govspeak_extract_contact_content_ids_test.rb
+- test/html_validator_test.rb
+- test/govspeak_contacts_test.rb
+- test/govspeak_test.rb
+- test/govspeak_attachments_image_test.rb
+- test/govspeak_attachment_test.rb
 - test/govspeak_link_extractor_test.rb
-- test/govspeak_images_test.rb
 - test/govspeak_link_test.rb
-- test/govspeak_extract_contact_content_ids_test.rb
-- test/govspeak_footnote_test.rb
 - test/presenters/h_card_presenter_test.rb
 - test/govspeak_attachments_inline_test.rb
+- test/govspeak_test_helper.rb
 - test/govspeak_structured_headers_test.rb
-- test/test_helper.rb
-- test/govspeak_button_test.rb
-- test/govspeak_attachment_test.rb
-- test/html_sanitizer_test.rb
-- test/govspeak_contacts_test.rb
-- test/govspeak_attachments_image_test.rb
-- test/govspeak_images_bang_test.rb
-- test/govspeak_test.rb
-- test/govspeak_table_with_headers_test.rb
-- test/html_validator_test.rb
-- test/govspeak_attachment_link_test.rb