govuk_content_models 18.0.0 → 19.0.0

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## 19.0.0
+
+* BREAKING CHANGE: String fields can no longer include arbitrary images. They
+  must either be on a relative path, hosted on either www.gov.uk, assets.digital.cabinet-office.gov.uk or the equivalent domain for the local environment.
+
 ## 18.0.0
 
 * BREAKING CHANGE: Remove specialist-document Artefact kind.

data/app/validators/safe_html.rb

@@ -1,6 +1,17 @@
 require "govspeak"
+require "plek"
 
 class SafeHtml < ActiveModel::Validator
+  ALLOWED_IMAGE_HOSTS = [
+    # URLs for the local environment
+    URI.parse(Plek.new.website_root).host, # eg www.preview.alphagov.co.uk
+    URI.parse(Plek.new.asset_root).host,   # eg assets-origin.preview.alphagov.co.uk
+
+    # Hardcode production URLs so that content copied from production is valid
+    'www.gov.uk',
+    'assets.digital.cabinet-office.gov.uk'
+  ]
+
   def validate(record)
     record.changes.each do |field_name, (old_value, new_value)|
       check_struct(record, field_name, new_value)
@@ -18,25 +29,9 @@ class SafeHtml < ActiveModel::Validator
   end
 
   def check_string(record, field_name, string)
-    if govspeak_fields(record).include?(field_name)
-      unless Govspeak::Document.new(string).valid?
-        error = "cannot include invalid Govspeak or JavaScript"
-        record.errors.add(field_name, error)
-      end
-    else
-      unless Govspeak::HtmlValidator.new(string).valid?
-        error = "cannot include invalid HTML or JavaScript"
-        record.errors.add(field_name, error)
-      end
-    end
-  end
-
-private
-  def govspeak_fields(record)
-    if record.class.const_defined?(:GOVSPEAK_FIELDS)
-      record.class.const_get(:GOVSPEAK_FIELDS)
-    else
-      []
+    unless Govspeak::Document.new(string).valid?(allowed_image_hosts: ALLOWED_IMAGE_HOSTS)
+      error = "cannot include invalid Govspeak, invalid HTML, any JavaScript or images hosted on sites except for #{ALLOWED_IMAGE_HOSTS.join(', ')}"
+      record.errors.add(field_name, error)
     end
   end
 end

data/govuk_content_models.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency "gds-api-adapters", ">= 10.9.0"
 
   gem.add_dependency "gds-sso",          ">= 7.0.0", "< 10.0.0"
-  gem.add_dependency "govspeak",         "~> 2.0.0"
+  gem.add_dependency "govspeak",         "~> 3.1.0"
   # Mongoid 2.5.0 supports the newer 1.7.x and 1.8.x Mongo drivers
   gem.add_dependency "mongoid",          "~> 2.5"
   gem.add_dependency "plek"

data/lib/govuk_content_models/version.rb

@@ -1,4 +1,4 @@
 module GovukContentModels
   # Changing this causes Jenkins to tag and release the gem into the wild
-  VERSION = "18.0.0"
+  VERSION = "19.0.0"
 end

data/test/validators/safe_html_validator_test.rb

@@ -58,6 +58,17 @@ class SafeHtmlTest < ActiveSupport::TestCase
       assert_includes dummy.errors.keys, :undeclared
     end
 
+    should "disallow images not hosted by us" do
+      dummy = Dummy.new(undeclared: '<img src="http://evil.com/trollface"/>')
+      assert dummy.invalid?
+      assert_includes dummy.errors.keys, :undeclared
+    end
+
+    should "allow images hosted by us" do
+      dummy = Dummy.new(undeclared: '<img src="http://www.dev.gov.uk/trollface"/>')
+      assert dummy.valid?
+    end
+
     should "allow plain text" do
       dummy = Dummy.new(declared: "foo bar")
       assert dummy.valid?

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: govuk_content_models
 version: !ruby/object:Gem::Version
-  version: 18.0.0
+  version: 19.0.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-18 00:00:00.000000000 Z
+date: 2014-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bson_ext
@@ -88,7 +88,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 3.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -96,7 +96,7 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: 3.1.0
 - !ruby/object:Gem::Dependency
   name: mongoid
   requirement: !ruby/object:Gem::Requirement
@@ -460,7 +460,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2918385246882199762
+      hash: 874598308746352003
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -469,7 +469,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2918385246882199762
+      hash: 874598308746352003
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.23