govspeak 3.5.2 → 3.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/lib/govspeak/html_sanitizer.rb +16 -1
- data/lib/govspeak/version.rb +1 -1
- data/test/govspeak_test.rb +3 -3
- data/test/html_sanitizer_test.rb +18 -0
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 88204b81285c071614cae4cdbc7933647c408ec7
|
|
4
|
+
data.tar.gz: 4927a7e014000868d29574ef257eda8d3fadd012
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 220d392cd52c2ee77f44e3ba65af87a143b14706339c99ec13bbd32063c1933e3079f82512f2941a6720923a9e0449a100fd31ddf624fd2b2b6d30edbcdda3ed
|
|
7
|
+
data.tar.gz: 76327a9e3df12548d9edeafe83646102374044757dec3d98b1805dba514b897e0bbb56ab0a3fb992888936f05b6393da263ba6f0f8cc11fedd40ec348713e413
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 3.6.0
|
|
2
|
+
|
|
3
|
+
* Update minimum Kramdown version from 1.5.0 to 1.10.0 ([changelog](https://github.com/gettalong/kramdown/tree/2cd02dfacda041d3108a039e085f804645a9d538/doc/news))
|
|
4
|
+
* Allow table columns to be left, right or centre aligned using the [standard markdown pattern](http://kramdown.gettalong.org/quickref.html#tables) provided by Kramdown
|
|
5
|
+
|
|
1
6
|
## 3.5.2
|
|
2
7
|
|
|
3
8
|
* Fix a couple of issues with the [header_extractor](https://github.com/alphagov/govspeak/blob/master/lib/govspeak/header_extractor.rb). The method now picks up headers nested inside `blocks`, and when ID's are [explicitly set](http://kramdown.gettalong.org/syntax.html#specifying-a-header-id). See [https://github.com/alphagov/govspeak/pull/66](https://github.com/alphagov/govspeak/pull/66) for more.
|
|
@@ -21,13 +21,26 @@ class Govspeak::HtmlSanitizer
|
|
|
21
21
|
end
|
|
22
22
|
end
|
|
23
23
|
|
|
24
|
+
class TableCellTextAlignWhitelister
|
|
25
|
+
def call(sanitize_context)
|
|
26
|
+
return unless ["td", "th"].include?(sanitize_context[:node_name])
|
|
27
|
+
node = sanitize_context[:node]
|
|
28
|
+
|
|
29
|
+
# Kramdown uses text-align to allow table cells to be aligned
|
|
30
|
+
# http://kramdown.gettalong.org/quickref.html#tables
|
|
31
|
+
unless node['style'].match(/^text-align:\s*(center|left|right)$/)
|
|
32
|
+
node.remove_attribute('style')
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
24
37
|
def initialize(dirty_html, options = {})
|
|
25
38
|
@dirty_html = dirty_html
|
|
26
39
|
@allowed_image_hosts = options[:allowed_image_hosts]
|
|
27
40
|
end
|
|
28
41
|
|
|
29
42
|
def sanitize
|
|
30
|
-
transformers = []
|
|
43
|
+
transformers = [TableCellTextAlignWhitelister.new]
|
|
31
44
|
if @allowed_image_hosts && @allowed_image_hosts.any?
|
|
32
45
|
transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
|
|
33
46
|
end
|
|
@@ -45,6 +58,8 @@ class Govspeak::HtmlSanitizer
|
|
|
45
58
|
attributes: {
|
|
46
59
|
:all => Sanitize::Config::RELAXED[:attributes][:all] + [ "id", "class", "role", "aria-label" ],
|
|
47
60
|
"a" => Sanitize::Config::RELAXED[:attributes]["a"] + [ "rel" ],
|
|
61
|
+
"th" => Sanitize::Config::RELAXED[:attributes]["th"] + [ "style" ],
|
|
62
|
+
"td" => Sanitize::Config::RELAXED[:attributes]["td"] + [ "style" ],
|
|
48
63
|
},
|
|
49
64
|
elements: Sanitize::Config::RELAXED[:elements] + [ "div", "span", "aside" ],
|
|
50
65
|
})
|
data/lib/govspeak/version.rb
CHANGED
data/test/govspeak_test.rb
CHANGED
|
@@ -20,17 +20,17 @@ class GovspeakTest < Minitest::Test
|
|
|
20
20
|
|
|
21
21
|
test "simple block extension" do
|
|
22
22
|
rendered = Govspeak::Document.new("this \n{::reverse}\n*is*\n{:/reverse}\n markdown").to_html
|
|
23
|
-
assert_equal "<p>this
|
|
23
|
+
assert_equal "<p>this</p>\n\n<p><em>si</em></p>\n\n<p>markdown</p>\n", rendered
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
test "highlight-answer block extension" do
|
|
27
27
|
rendered = Govspeak::Document.new("this \n{::highlight-answer}Lead in to *BIG TEXT*\n{:/highlight-answer}").to_html
|
|
28
|
-
assert_equal %Q{<p>this
|
|
28
|
+
assert_equal %Q{<p>this</p>\n\n<div class="highlight-answer">\n<p>Lead in to <em>BIG TEXT</em></p>\n</div>\n}, rendered
|
|
29
29
|
end
|
|
30
30
|
|
|
31
31
|
test "stat-headline block extension" do
|
|
32
32
|
rendered = Govspeak::Document.new("this \n{stat-headline}*13.8bn* Age of the universe in years{/stat-headline}").to_html
|
|
33
|
-
assert_equal %Q{<p>this
|
|
33
|
+
assert_equal %Q{<p>this</p>\n\n<aside class="stat-headline">\n<p><em>13.8bn</em> Age of the universe in years</p>\n</aside>\n}, rendered
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
test "extracts headers with text, level and generated id" do
|
data/test/html_sanitizer_test.rb
CHANGED
|
@@ -43,4 +43,22 @@ class HtmlSanitizerTest < Minitest::Test
|
|
|
43
43
|
html = "<img src='http://example.com/image.jgp'>"
|
|
44
44
|
assert_equal "", Govspeak::HtmlSanitizer.new(html).sanitize_without_images
|
|
45
45
|
end
|
|
46
|
+
|
|
47
|
+
test "allows valid text-align properties on the style attribute for table cells and table headings" do
|
|
48
|
+
["left", "right", "center"].each do |alignment|
|
|
49
|
+
html = "<td style=\"text-align: #{alignment}\">thing</td>"
|
|
50
|
+
assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
[
|
|
54
|
+
"width: 10000px",
|
|
55
|
+
"text-align: middle",
|
|
56
|
+
"text-align: left; width: 10px",
|
|
57
|
+
"background-image: url(javascript:alert('XSS'))",
|
|
58
|
+
"expression(alert('XSS'));"
|
|
59
|
+
].each do |style|
|
|
60
|
+
html = "<td style=\"#{style}\">thing</td>"
|
|
61
|
+
assert_equal '<td>thing</td>', Govspeak::HtmlSanitizer.new(html).sanitize
|
|
62
|
+
end
|
|
63
|
+
end
|
|
46
64
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govspeak
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Ben Griffiths
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2016-
|
|
12
|
+
date: 2016-05-03 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: kramdown
|
|
@@ -17,14 +17,14 @@ dependencies:
|
|
|
17
17
|
requirements:
|
|
18
18
|
- - "~>"
|
|
19
19
|
- !ruby/object:Gem::Version
|
|
20
|
-
version: 1.
|
|
20
|
+
version: 1.10.0
|
|
21
21
|
type: :runtime
|
|
22
22
|
prerelease: false
|
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
|
24
24
|
requirements:
|
|
25
25
|
- - "~>"
|
|
26
26
|
- !ruby/object:Gem::Version
|
|
27
|
-
version: 1.
|
|
27
|
+
version: 1.10.0
|
|
28
28
|
- !ruby/object:Gem::Dependency
|
|
29
29
|
name: htmlentities
|
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|