govspeak 6.5.11 → 6.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/govspeak.rb +2 -1
- data/lib/govspeak/html_sanitizer.rb +5 -4
- data/lib/govspeak/version.rb +1 -1
- data/test/govspeak_test.rb +5 -0
- data/test/html_sanitizer_test.rb +6 -0
- metadata +17 -17
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6369a640dd1ca0303f548954b3cd69f176707200d83d460408eadbb7c7b35158
|
|
4
|
+
data.tar.gz: fb487bd7275c39da3b3ff34fb4bbb016c77e4666a778c42dd8098c0ef50b3ea5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 85fe44ebb3c921918bb22148c4d53394d3e5921b1c5b778815bb09120832e7820805555aa68756799a257a05c4fb5efdeb5df53a453009b2333db528fafa5f29
|
|
7
|
+
data.tar.gz: 82dc434b862384862420ea07e45d00e2020b5ea20fd7a52ee5196bb5a6786d4c3facd15e64917c0bfd700ac0a1c3aaaa7e761c6970640c60b118f40ca5a1f0e8
|
data/CHANGELOG.md
CHANGED
data/lib/govspeak.rb
CHANGED
|
@@ -53,6 +53,7 @@ module Govspeak
|
|
|
53
53
|
@source = source ? source.dup : ""
|
|
54
54
|
|
|
55
55
|
@images = options.delete(:images) || []
|
|
56
|
+
@allowed_elements = options.delete(:allowed_elements) || []
|
|
56
57
|
@attachments = Array.wrap(options.delete(:attachments))
|
|
57
58
|
@links = Array.wrap(options.delete(:links))
|
|
58
59
|
@contacts = Array.wrap(options.delete(:contacts))
|
|
@@ -66,7 +67,7 @@ module Govspeak
|
|
|
66
67
|
def to_html
|
|
67
68
|
@to_html ||= begin
|
|
68
69
|
html = if @options[:sanitize]
|
|
69
|
-
HtmlSanitizer.new(kramdown_doc.to_html).sanitize
|
|
70
|
+
HtmlSanitizer.new(kramdown_doc.to_html).sanitize(allowed_elements: @allowed_elements)
|
|
70
71
|
else
|
|
71
72
|
kramdown_doc.to_html
|
|
72
73
|
end
|
|
@@ -40,18 +40,19 @@ class Govspeak::HtmlSanitizer
|
|
|
40
40
|
@allowed_image_hosts = options[:allowed_image_hosts]
|
|
41
41
|
end
|
|
42
42
|
|
|
43
|
-
def sanitize
|
|
43
|
+
def sanitize(allowed_elements: [])
|
|
44
44
|
transformers = [TableCellTextAlignWhitelister.new]
|
|
45
45
|
if @allowed_image_hosts && @allowed_image_hosts.any?
|
|
46
46
|
transformers << ImageSourceWhitelister.new(@allowed_image_hosts)
|
|
47
47
|
end
|
|
48
|
-
|
|
48
|
+
|
|
49
|
+
Sanitize.clean(@dirty_html, Sanitize::Config.merge(sanitize_config(allowed_elements: allowed_elements), transformers: transformers))
|
|
49
50
|
end
|
|
50
51
|
|
|
51
|
-
def sanitize_config
|
|
52
|
+
def sanitize_config(allowed_elements: [])
|
|
52
53
|
Sanitize::Config.merge(
|
|
53
54
|
Sanitize::Config::RELAXED,
|
|
54
|
-
elements: Sanitize::Config::RELAXED[:elements] + %w[govspeak-embed-attachment govspeak-embed-attachment-link svg path],
|
|
55
|
+
elements: Sanitize::Config::RELAXED[:elements] + %w[govspeak-embed-attachment govspeak-embed-attachment-link svg path].concat(allowed_elements),
|
|
55
56
|
attributes: {
|
|
56
57
|
:all => Sanitize::Config::RELAXED[:attributes][:all] + %w[role aria-label],
|
|
57
58
|
"a" => Sanitize::Config::RELAXED[:attributes]["a"] + [:data],
|
data/lib/govspeak/version.rb
CHANGED
data/test/govspeak_test.rb
CHANGED
|
@@ -666,6 +666,11 @@ Teston
|
|
|
666
666
|
assert_equal "<script>doGoodThings();</script>", document.to_html.strip
|
|
667
667
|
end
|
|
668
668
|
|
|
669
|
+
test "it can exclude stipulated elements from sanitization" do
|
|
670
|
+
document = Govspeak::Document.new("<uncommon-element>some content</uncommon-element>", allowed_elements: %w[uncommon-element])
|
|
671
|
+
assert_equal "<uncommon-element>some content</uncommon-element>", document.to_html.strip
|
|
672
|
+
end
|
|
673
|
+
|
|
669
674
|
test "identifies a Govspeak document containing malicious HTML as invalid" do
|
|
670
675
|
document = Govspeak::Document.new("<script>doBadThings();</script>")
|
|
671
676
|
refute document.valid?
|
data/test/html_sanitizer_test.rb
CHANGED
|
@@ -96,4 +96,10 @@ class HtmlSanitizerTest < Minitest::Test
|
|
|
96
96
|
assert_equal "<table><thead><tr><th>thing</th></tr></thead><tbody><tr><td>thing</td></tr></tbody></table>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
97
97
|
end
|
|
98
98
|
end
|
|
99
|
+
|
|
100
|
+
test "excludes specified elements from sanitization" do
|
|
101
|
+
html = "<custom-allowed-element><p>text</p></custom-allowed-element>"
|
|
102
|
+
assert_equal "<p>text</p>", Govspeak::HtmlSanitizer.new(html).sanitize
|
|
103
|
+
assert_equal html, Govspeak::HtmlSanitizer.new(html).sanitize(allowed_elements: %w[custom-allowed-element])
|
|
104
|
+
end
|
|
99
105
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govspeak
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.
|
|
4
|
+
version: 6.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GOV.UK Dev
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2021-01-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: actionview
|
|
@@ -372,24 +372,24 @@ signing_key:
|
|
|
372
372
|
specification_version: 4
|
|
373
373
|
summary: Markup language for single domain
|
|
374
374
|
test_files:
|
|
375
|
+
- test/test_helper.rb
|
|
376
|
+
- test/blockquote_extra_quote_remover_test.rb
|
|
375
377
|
- test/govspeak_images_bang_test.rb
|
|
376
|
-
- test/
|
|
378
|
+
- test/govspeak_contacts_test.rb
|
|
379
|
+
- test/govspeak_table_with_headers_test.rb
|
|
377
380
|
- test/govspeak_link_extractor_test.rb
|
|
378
|
-
- test/govspeak_attachments_inline_test.rb
|
|
379
|
-
- test/govspeak_button_test.rb
|
|
380
|
-
- test/govspeak_structured_headers_test.rb
|
|
381
381
|
- test/govspeak_attachments_image_test.rb
|
|
382
|
-
- test/
|
|
382
|
+
- test/html_validator_test.rb
|
|
383
|
+
- test/govspeak_button_test.rb
|
|
383
384
|
- test/govspeak_extract_contact_content_ids_test.rb
|
|
384
|
-
- test/
|
|
385
|
-
- test/govspeak_test.rb
|
|
386
|
-
- test/html_sanitizer_test.rb
|
|
385
|
+
- test/govspeak_test_helper.rb
|
|
387
386
|
- test/govspeak_footnote_test.rb
|
|
388
|
-
- test/blockquote_extra_quote_remover_test.rb
|
|
389
|
-
- test/test_helper.rb
|
|
390
|
-
- test/govspeak_table_with_headers_test.rb
|
|
391
|
-
- test/govspeak_images_test.rb
|
|
392
387
|
- test/govspeak_link_test.rb
|
|
393
|
-
- test/
|
|
394
|
-
- test/
|
|
395
|
-
- test/
|
|
388
|
+
- test/govspeak_structured_headers_test.rb
|
|
389
|
+
- test/html_sanitizer_test.rb
|
|
390
|
+
- test/govspeak_images_test.rb
|
|
391
|
+
- test/govspeak_test.rb
|
|
392
|
+
- test/govspeak_attachment_link_test.rb
|
|
393
|
+
- test/govspeak_attachment_test.rb
|
|
394
|
+
- test/presenters/h_card_presenter_test.rb
|
|
395
|
+
- test/govspeak_attachments_inline_test.rb
|