govspeak 5.5.0 → 5.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 52ab560c9f4e178a3079553808221fed51396b32
-  data.tar.gz: 371d78e8b275ca0c482e925a9e8a0bce71f791e0
+  metadata.gz: 6e0eb446c6565462c24ad3f78801c202917e9b20
+  data.tar.gz: 16455957358cc36b9e743974e885c61b48259227
 SHA512:
-  metadata.gz: 81bfefe2e2923ef22e97898e1c9183833b220de4ceaec5d53a711dbf674ea513c081fa9bfb4b9633212278b06ab5ec8b3e9366ac0acf88f4f639e5a982b89aad
-  data.tar.gz: 122a67b0d9182529e010c14cc3129b0c81b72182cb272ca6bcd167c337a965f2351398e0c2abac8595501ea1355a102fef37cee070ec0312963833606a0485b7
+  metadata.gz: 4e89a5cc8e001699815ea701efef079fbf2ede8a25b99a0493f880135919c913f2186a3a2745fb4bd9bfa2331da156ba0b86da7e5b5a206eca4665dcf55a94a0
+  data.tar.gz: e5295b34106249a7bc73751852688f0e00a80242380eaa6a09c94b2e185f6d5648132881148fdbc2d6658cbadd5b4352da340a7c89e5cdadf3b990b7654fa41b

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 5.6.0
+
+* Update sanitize version to 4.6.x [#127](https://github.com/alphagov/govspeak/issues/127)
+
 ## 5.5.0
 * Ignore links with blank or missing `href`s when extracting links from a document with `Govspeak::Document#extracted_links` [#124](https://github.com/alphagov/govspeak/pull/124)
 

data/lib/govspeak/html_sanitizer.rb

@@ -1,9 +1,7 @@
 require 'addressable/uri'
 require 'sanitize'
-require 'with_deep_merge'
 
 class Govspeak::HtmlSanitizer
-  include WithDeepMerge
 
   class ImageSourceWhitelister
     def initialize(allowed_image_hosts)
@@ -48,13 +46,12 @@ class Govspeak::HtmlSanitizer
     if @allowed_image_hosts && @allowed_image_hosts.any?
       transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
     end
-    Sanitize.clean(@dirty_html, sanitize_config.merge(transformers: transformers))
+    Sanitize.clean(@dirty_html, Sanitize::Config.merge(sanitize_config, transformers: transformers))
   end
 
   def sanitize_without_images
     config = sanitize_config
-    config[:elements].delete('img')
-    Sanitize.clean(@dirty_html, config)
+    Sanitize.clean(@dirty_html, Sanitize::Config.merge(config, elements: config[:elements] - ["img"]))
   end
 
   def button_sanitize_config
@@ -66,14 +63,14 @@ class Govspeak::HtmlSanitizer
   end
 
   def sanitize_config
-    deep_merge(Sanitize::Config::RELAXED, {
+    Sanitize::Config.merge(
+      Sanitize::Config::RELAXED,
       attributes: {
-        :all => Sanitize::Config::RELAXED[:attributes][:all] + [ "id", "class", "role", "aria-label" ],
-        "a"  => Sanitize::Config::RELAXED[:attributes]["a"] + ["rel"] + button_sanitize_config,
-        "th"  => Sanitize::Config::RELAXED[:attributes]["th"] + [ "style" ],
-        "td"  => Sanitize::Config::RELAXED[:attributes]["td"] + [ "style" ],
-      },
-      elements: Sanitize::Config::RELAXED[:elements] + [ "div", "span", "aside" ],
-    })
+        :all => Sanitize::Config::RELAXED[:attributes][:all] + ["role", "aria-label"],
+        "a"  => Sanitize::Config::RELAXED[:attributes]["a"] + button_sanitize_config,
+        "th"  => Sanitize::Config::RELAXED[:attributes]["th"] + ["style"],
+        "td"  => Sanitize::Config::RELAXED[:attributes]["td"] + ["style"],
+      }
+    )
   end
 end

data/lib/govspeak/version.rb

@@ -1,3 +1,3 @@
 module Govspeak
-  VERSION = "5.5.0".freeze
+  VERSION = "5.6.0".freeze
 end

data/test/html_sanitizer_test.rb

@@ -53,13 +53,24 @@ class HtmlSanitizerTest < Minitest::Test
   end
 
   test "allows table cells and table headings without a style attribute" do
-    html = "<th>thing</th><td>thing</td>"
+    html = "<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>"
     assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
   end
 
+  test "strips table cells and headings that appear outside a table" do
+    html = "<th>thing</th></tr><tr><td>thing</td>"
+    assert_equal 'thingthing', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+  test "normalizes table tags to inject missing rows and bodies like a browser does" do
+    html = "<table><th>thing</th><td>thing</td></table>"
+    assert_equal '<table><tbody><tr><th>thing</th><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
+  end
+
+
   test "allows valid text-align properties on the style attribute for table cells and table headings" do
     ["left", "right", "center"].each do |alignment|
-      html = "<th style=\"text-align: #{alignment}\">thing</th><td style=\"text-align: #{alignment}\">thing</td>"
+      html = "<table><thead><tr><th style=\"text-align: #{alignment}\">thing</th></tr></thead><tbody><tr><td style=\"text-align: #{alignment}\">thing</td></tr></tbody></table>"
       assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize
     end
 
@@ -70,8 +81,8 @@ class HtmlSanitizerTest < Minitest::Test
       "background-image: url(javascript:alert('XSS'))",
       "expression(alert('XSS'));"
     ].each do |style|
-      html = "<th style=\"#{style}\">thing</th><td style=\"#{style}\">thing</td>"
-      assert_equal '<th>thing</th><td>thing</td>', Govspeak::HtmlSanitizer.new(html).sanitize
+      html = "<table><thead><tr><th style=\"#{style}\">thing</th></tr></thead><tbody><tr><td style=\"#{style}\">thing</td></tr></tbody></table>"
+      assert_equal '<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>', Govspeak::HtmlSanitizer.new(html).sanitize
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: govspeak
 version: !ruby/object:Gem::Version
-  version: 5.5.0
+  version: 5.6.0
 platform: ruby
 authors:
 - GOV.UK Dev
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-02-21 00:00:00.000000000 Z
+date: 2018-03-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: kramdown
@@ -44,14 +44,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '4.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '4.6'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
@@ -279,7 +279,6 @@ files:
 - lib/templates/attachment.html.erb
 - lib/templates/contact.html.erb
 - lib/templates/inline_attachment.html.erb
-- lib/with_deep_merge.rb
 - test/blockquote_extra_quote_remover_test.rb
 - test/govspeak_attachments_image_test.rb
 - test/govspeak_attachments_inline_test.rb
@@ -295,7 +294,6 @@ files:
 - test/html_validator_test.rb
 - test/presenters/h_card_presenter_test.rb
 - test/test_helper.rb
-- test/with_deep_merge_test.rb
 homepage: http://github.com/alphagov/govspeak
 licenses: []
 metadata: {}
@@ -323,7 +321,6 @@ test_files:
 - test/govspeak_link_extractor_test.rb
 - test/govspeak_structured_headers_test.rb
 - test/govspeak_button_test.rb
-- test/with_deep_merge_test.rb
 - test/blockquote_extra_quote_remover_test.rb
 - test/govspeak_test_helper.rb
 - test/govspeak_link_test.rb

data/lib/with_deep_merge.rb

@@ -1,11 +0,0 @@
-module WithDeepMerge
-  def deep_merge(base_object, other_object)
-    if base_object.is_a?(Hash) && other_object.is_a?(Hash)
-      base_object.merge(other_object) { |_, base_value, other_value|
-        deep_merge(base_value, other_value)
-      }
-    else
-      other_object
-    end
-  end
-end

data/test/with_deep_merge_test.rb

@@ -1,18 +0,0 @@
-require 'with_deep_merge'
-
-class WithDeepMergeTest < Minitest::Test
-  include WithDeepMerge
-
-  def test_simple_merge
-    base_hash = { "a" => "b" }
-    other_hash = { "c" => "d" }
-    assert_equal({ "a" => "b", "c" => "d" }, deep_merge(base_hash, other_hash))
-  end
-
-  def test_recursive_merge
-    base_hash = { "a" =>  { "b" => "c", "d" => "e" } }
-    other_hash = { "a" => { "b" => "z", "f" => "g" } }
-    assert_equal({ "a" => { "b" => "z", "d" => "e", "f" => "g" } },
-      deep_merge(base_hash, other_hash))
-  end
-end