govuk_content_models 18.0.0 → 19.0.0

Sign up to get free protection for your applications and to get access to all the features.
data/CHANGELOG.md CHANGED
@@ -1,3 +1,8 @@
1
+ ## 19.0.0
2
+
3
+ * BREAKING CHANGE: String fields can no longer include arbitrary images. They
4
+ must either be on a relative path, hosted on either www.gov.uk, assets.digital.cabinet-office.gov.uk or the equivalent domain for the local environment.
5
+
1
6
  ## 18.0.0
2
7
 
3
8
  * BREAKING CHANGE: Remove specialist-document Artefact kind.
@@ -1,6 +1,17 @@
1
1
  require "govspeak"
2
+ require "plek"
2
3
 
3
4
  class SafeHtml < ActiveModel::Validator
5
+ ALLOWED_IMAGE_HOSTS = [
6
+ # URLs for the local environment
7
+ URI.parse(Plek.new.website_root).host, # eg www.preview.alphagov.co.uk
8
+ URI.parse(Plek.new.asset_root).host, # eg assets-origin.preview.alphagov.co.uk
9
+
10
+ # Hardcode production URLs so that content copied from production is valid
11
+ 'www.gov.uk',
12
+ 'assets.digital.cabinet-office.gov.uk'
13
+ ]
14
+
4
15
  def validate(record)
5
16
  record.changes.each do |field_name, (old_value, new_value)|
6
17
  check_struct(record, field_name, new_value)
@@ -18,25 +29,9 @@ class SafeHtml < ActiveModel::Validator
18
29
  end
19
30
 
20
31
  def check_string(record, field_name, string)
21
- if govspeak_fields(record).include?(field_name)
22
- unless Govspeak::Document.new(string).valid?
23
- error = "cannot include invalid Govspeak or JavaScript"
24
- record.errors.add(field_name, error)
25
- end
26
- else
27
- unless Govspeak::HtmlValidator.new(string).valid?
28
- error = "cannot include invalid HTML or JavaScript"
29
- record.errors.add(field_name, error)
30
- end
31
- end
32
- end
33
-
34
- private
35
- def govspeak_fields(record)
36
- if record.class.const_defined?(:GOVSPEAK_FIELDS)
37
- record.class.const_get(:GOVSPEAK_FIELDS)
38
- else
39
- []
32
+ unless Govspeak::Document.new(string).valid?(allowed_image_hosts: ALLOWED_IMAGE_HOSTS)
33
+ error = "cannot include invalid Govspeak, invalid HTML, any JavaScript or images hosted on sites except for #{ALLOWED_IMAGE_HOSTS.join(', ')}"
34
+ record.errors.add(field_name, error)
40
35
  end
41
36
  end
42
37
  end
@@ -20,7 +20,7 @@ Gem::Specification.new do |gem|
20
20
  gem.add_dependency "gds-api-adapters", ">= 10.9.0"
21
21
 
22
22
  gem.add_dependency "gds-sso", ">= 7.0.0", "< 10.0.0"
23
- gem.add_dependency "govspeak", "~> 2.0.0"
23
+ gem.add_dependency "govspeak", "~> 3.1.0"
24
24
  # Mongoid 2.5.0 supports the newer 1.7.x and 1.8.x Mongo drivers
25
25
  gem.add_dependency "mongoid", "~> 2.5"
26
26
  gem.add_dependency "plek"
@@ -1,4 +1,4 @@
1
1
  module GovukContentModels
2
2
  # Changing this causes Jenkins to tag and release the gem into the wild
3
- VERSION = "18.0.0"
3
+ VERSION = "19.0.0"
4
4
  end
@@ -58,6 +58,17 @@ class SafeHtmlTest < ActiveSupport::TestCase
58
58
  assert_includes dummy.errors.keys, :undeclared
59
59
  end
60
60
 
61
+ should "disallow images not hosted by us" do
62
+ dummy = Dummy.new(undeclared: '<img src="http://evil.com/trollface"/>')
63
+ assert dummy.invalid?
64
+ assert_includes dummy.errors.keys, :undeclared
65
+ end
66
+
67
+ should "allow images hosted by us" do
68
+ dummy = Dummy.new(undeclared: '<img src="http://www.dev.gov.uk/trollface"/>')
69
+ assert dummy.valid?
70
+ end
71
+
61
72
  should "allow plain text" do
62
73
  dummy = Dummy.new(declared: "foo bar")
63
74
  assert dummy.valid?
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: govuk_content_models
3
3
  version: !ruby/object:Gem::Version
4
- version: 18.0.0
4
+ version: 19.0.0
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-08-18 00:00:00.000000000 Z
12
+ date: 2014-08-19 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bson_ext
@@ -88,7 +88,7 @@ dependencies:
88
88
  requirements:
89
89
  - - ~>
90
90
  - !ruby/object:Gem::Version
91
- version: 2.0.0
91
+ version: 3.1.0
92
92
  type: :runtime
93
93
  prerelease: false
94
94
  version_requirements: !ruby/object:Gem::Requirement
@@ -96,7 +96,7 @@ dependencies:
96
96
  requirements:
97
97
  - - ~>
98
98
  - !ruby/object:Gem::Version
99
- version: 2.0.0
99
+ version: 3.1.0
100
100
  - !ruby/object:Gem::Dependency
101
101
  name: mongoid
102
102
  requirement: !ruby/object:Gem::Requirement
@@ -460,7 +460,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
460
460
  version: '0'
461
461
  segments:
462
462
  - 0
463
- hash: 2918385246882199762
463
+ hash: 874598308746352003
464
464
  required_rubygems_version: !ruby/object:Gem::Requirement
465
465
  none: false
466
466
  requirements:
@@ -469,7 +469,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
469
469
  version: '0'
470
470
  segments:
471
471
  - 0
472
- hash: 2918385246882199762
472
+ hash: 874598308746352003
473
473
  requirements: []
474
474
  rubyforge_project:
475
475
  rubygems_version: 1.8.23