govuk_content_models 18.0.0 → 19.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,8 @@
|
|
|
1
|
+
## 19.0.0
|
|
2
|
+
|
|
3
|
+
* BREAKING CHANGE: String fields can no longer include arbitrary images. They
|
|
4
|
+
must either be on a relative path, hosted on either www.gov.uk, assets.digital.cabinet-office.gov.uk or the equivalent domain for the local environment.
|
|
5
|
+
|
|
1
6
|
## 18.0.0
|
|
2
7
|
|
|
3
8
|
* BREAKING CHANGE: Remove specialist-document Artefact kind.
|
data/app/validators/safe_html.rb
CHANGED
|
@@ -1,6 +1,17 @@
|
|
|
1
1
|
require "govspeak"
|
|
2
|
+
require "plek"
|
|
2
3
|
|
|
3
4
|
class SafeHtml < ActiveModel::Validator
|
|
5
|
+
ALLOWED_IMAGE_HOSTS = [
|
|
6
|
+
# URLs for the local environment
|
|
7
|
+
URI.parse(Plek.new.website_root).host, # eg www.preview.alphagov.co.uk
|
|
8
|
+
URI.parse(Plek.new.asset_root).host, # eg assets-origin.preview.alphagov.co.uk
|
|
9
|
+
|
|
10
|
+
# Hardcode production URLs so that content copied from production is valid
|
|
11
|
+
'www.gov.uk',
|
|
12
|
+
'assets.digital.cabinet-office.gov.uk'
|
|
13
|
+
]
|
|
14
|
+
|
|
4
15
|
def validate(record)
|
|
5
16
|
record.changes.each do |field_name, (old_value, new_value)|
|
|
6
17
|
check_struct(record, field_name, new_value)
|
|
@@ -18,25 +29,9 @@ class SafeHtml < ActiveModel::Validator
|
|
|
18
29
|
end
|
|
19
30
|
|
|
20
31
|
def check_string(record, field_name, string)
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
record.errors.add(field_name, error)
|
|
25
|
-
end
|
|
26
|
-
else
|
|
27
|
-
unless Govspeak::HtmlValidator.new(string).valid?
|
|
28
|
-
error = "cannot include invalid HTML or JavaScript"
|
|
29
|
-
record.errors.add(field_name, error)
|
|
30
|
-
end
|
|
31
|
-
end
|
|
32
|
-
end
|
|
33
|
-
|
|
34
|
-
private
|
|
35
|
-
def govspeak_fields(record)
|
|
36
|
-
if record.class.const_defined?(:GOVSPEAK_FIELDS)
|
|
37
|
-
record.class.const_get(:GOVSPEAK_FIELDS)
|
|
38
|
-
else
|
|
39
|
-
[]
|
|
32
|
+
unless Govspeak::Document.new(string).valid?(allowed_image_hosts: ALLOWED_IMAGE_HOSTS)
|
|
33
|
+
error = "cannot include invalid Govspeak, invalid HTML, any JavaScript or images hosted on sites except for #{ALLOWED_IMAGE_HOSTS.join(', ')}"
|
|
34
|
+
record.errors.add(field_name, error)
|
|
40
35
|
end
|
|
41
36
|
end
|
|
42
37
|
end
|
|
@@ -20,7 +20,7 @@ Gem::Specification.new do |gem|
|
|
|
20
20
|
gem.add_dependency "gds-api-adapters", ">= 10.9.0"
|
|
21
21
|
|
|
22
22
|
gem.add_dependency "gds-sso", ">= 7.0.0", "< 10.0.0"
|
|
23
|
-
gem.add_dependency "govspeak", "~>
|
|
23
|
+
gem.add_dependency "govspeak", "~> 3.1.0"
|
|
24
24
|
# Mongoid 2.5.0 supports the newer 1.7.x and 1.8.x Mongo drivers
|
|
25
25
|
gem.add_dependency "mongoid", "~> 2.5"
|
|
26
26
|
gem.add_dependency "plek"
|
|
@@ -58,6 +58,17 @@ class SafeHtmlTest < ActiveSupport::TestCase
|
|
|
58
58
|
assert_includes dummy.errors.keys, :undeclared
|
|
59
59
|
end
|
|
60
60
|
|
|
61
|
+
should "disallow images not hosted by us" do
|
|
62
|
+
dummy = Dummy.new(undeclared: '<img src="http://evil.com/trollface"/>')
|
|
63
|
+
assert dummy.invalid?
|
|
64
|
+
assert_includes dummy.errors.keys, :undeclared
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
should "allow images hosted by us" do
|
|
68
|
+
dummy = Dummy.new(undeclared: '<img src="http://www.dev.gov.uk/trollface"/>')
|
|
69
|
+
assert dummy.valid?
|
|
70
|
+
end
|
|
71
|
+
|
|
61
72
|
should "allow plain text" do
|
|
62
73
|
dummy = Dummy.new(declared: "foo bar")
|
|
63
74
|
assert dummy.valid?
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: govuk_content_models
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version:
|
|
4
|
+
version: 19.0.0
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-08-
|
|
12
|
+
date: 2014-08-19 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: bson_ext
|
|
@@ -88,7 +88,7 @@ dependencies:
|
|
|
88
88
|
requirements:
|
|
89
89
|
- - ~>
|
|
90
90
|
- !ruby/object:Gem::Version
|
|
91
|
-
version:
|
|
91
|
+
version: 3.1.0
|
|
92
92
|
type: :runtime
|
|
93
93
|
prerelease: false
|
|
94
94
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -96,7 +96,7 @@ dependencies:
|
|
|
96
96
|
requirements:
|
|
97
97
|
- - ~>
|
|
98
98
|
- !ruby/object:Gem::Version
|
|
99
|
-
version:
|
|
99
|
+
version: 3.1.0
|
|
100
100
|
- !ruby/object:Gem::Dependency
|
|
101
101
|
name: mongoid
|
|
102
102
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -460,7 +460,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
460
460
|
version: '0'
|
|
461
461
|
segments:
|
|
462
462
|
- 0
|
|
463
|
-
hash:
|
|
463
|
+
hash: 874598308746352003
|
|
464
464
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
465
465
|
none: false
|
|
466
466
|
requirements:
|
|
@@ -469,7 +469,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
469
469
|
version: '0'
|
|
470
470
|
segments:
|
|
471
471
|
- 0
|
|
472
|
-
hash:
|
|
472
|
+
hash: 874598308746352003
|
|
473
473
|
requirements: []
|
|
474
474
|
rubyforge_project:
|
|
475
475
|
rubygems_version: 1.8.23
|